| Message ID | 20250325025424.14079-1-pkshih@realtek.com |
|---|---|
| State | New |
| Headers | show |
| Series | [rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data | expand |
diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index 8643b17866f8..c1d1e9ec08db 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -554,7 +554,7 @@ const struct rtw89_mfw_hdr *rtw89_mfw_get_hdr_ptr(struct rtw89_dev *rtwdev, if (sizeof(*mfw_hdr) > firmware->size) return NULL; - mfw_hdr = (const struct rtw89_mfw_hdr *)firmware->data; + mfw_hdr = (const struct rtw89_mfw_hdr *)&firmware->data[0]; if (mfw_hdr->sig != RTW89_MFW_SIG) return NULL;
The firmware->size is validated before using firmware->data, but Coverity still reports: Downcasting "firmware->data" from "u8 const *" to "struct rtw89_mfw_hdr" implies that the data that this pointer points to is tainted." Using &firmware->data[0] to avoid the warning. No change logic at all. Addresses-Coverity-ID: 1494046 ("Untrusted loop bound") Addresses-Coverity-ID: 1544385 ("Untrusted array index read") Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> --- drivers/net/wireless/realtek/rtw89/fw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)