| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 27 Feb 2010 15:20:31 +0100
From: Benoit PAPILLAULT <benoit.papillault@...e.fr>
To: Dan Carpenter <error27@...il.com>, Daniel Drake <dsd@...too.org>,
Ulrich Kunitz <kune@...ne-taler.de>,
"John W. Linville" <linville@...driver.com>,
Johannes Berg <johannes@...solutions.net>,
"Luis R. Rodriguez" <lrodriguez@...eros.com>,
André Goddard Rosa
<andre.goddard@...il.com>,
Benoit PAPILLAULT <benoit.papillault@...e.fr>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow
Dan Carpenter a écrit :
> The first chunk fixes a debugging assert to print a warning about array underflows.
> The second chunk corrects a potential array underflow. I also removed an assert
> in the second chunk because it can no longer happen.
>
> Signed-off-by: Dan Carpenter <error27@...il.com>
> ---
> This was found by a static check and compile tested only. Please review carefully.
>
> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c b/drivers/net/wireless/zd1211rw/zd_mac.c
> index f14deb0..ead2f2c 100644
> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> + ZD_ASSERT(1 <= retry && retry <= retries->count);
>
Note: normal hardware always report a tx_status->retry >= 1. There are 2
code paths to initialize retry itself : either tx_status is NULL and
then retry=1 (so we are safe), or tx_status is not NULL and retry =
tx_status->retry + success >=1 (so we are safe again).
However, I wonder how we should handle if it happens that the HW reports
a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
programming errors, not bogus hardware. Comments?
>
> info->status.rates[0].idx = retries->rate[0];
> info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> info->status.rates[i].count = 1; // ((i==retry-1) && success ? 1:2);
> }
> for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
> - info->status.rates[i].idx = retries->rate[retry-1];
> + info->status.rates[i].idx = retries->rate[retry - 1];
> info->status.rates[i].count = 1; // (success ? 1:2);
> }
> if (i<IEEE80211_TX_MAX_RATES)
> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - if (retry < 0 || retry > retries->count) {
> + if (retry <= 0 || retry > retries->count)
> continue;
> - }
>
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> - final_idx = retries->rate[retry-1];
> + final_idx = retries->rate[retry - 1];
> final_rate = zd_rates[final_idx].hw_value;
>
> if (final_rate != tx_status->rate) {
>
>
Acked-by: Benoit Papillault <benoit.papillault@...e.fr>
Regards,
Benoit
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists