lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 27 Feb 2010 18:27:30 +0100
From:	walter harms <wharms@....de>
To:	Benoit PAPILLAULT <benoit.papillault@...e.fr>
CC:	Dan Carpenter <error27@...il.com>, Daniel Drake <dsd@...too.org>,
	Ulrich Kunitz <kune@...ne-taler.de>,
	"John W. Linville" <linville@...driver.com>,
	Johannes Berg <johannes@...solutions.net>,
	"Luis R. Rodriguez" <lrodriguez@...eros.com>,
	André Goddard Rosa 
	<andre.goddard@...il.com>, linux-wireless@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow



Benoit PAPILLAULT schrieb:
> Dan Carpenter a écrit :
>> The first chunk fixes a debugging assert to print a warning about
>> array underflows.
>> The second chunk corrects a potential array underflow.  I also removed
>> an assert
>> in the second chunk because it can no longer happen.
>>
>> Signed-off-by: Dan Carpenter <error27@...il.com>
>> ---
>> This was found by a static check and compile tested only.  Please
>> review carefully.
>>
>> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c
>> b/drivers/net/wireless/zd1211rw/zd_mac.c
>> index f14deb0..ead2f2c 100644
>> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
>> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
>> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>>      first_idx = info->status.rates[0].idx;
>>      ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>>      retries = &zd_retry_rates[first_idx];
>> -    ZD_ASSERT(0<=retry && retry<=retries->count);
>> +    ZD_ASSERT(1 <= retry && retry <= retries->count);
>>   
> Note: normal hardware always report a tx_status->retry >= 1. There are 2
> code paths to initialize retry itself : either tx_status is NULL and
> then retry=1 (so we are safe), or tx_status is not NULL and retry =
> tx_status->retry + success >=1 (so we are safe again).
> 
> However, I wonder how we should handle if it happens that the HW reports
> a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
> programming errors, not bogus hardware. Comments?


Simply assume the worst, so far i see the patch does not
add more code nor should it change normal behavier.
This will help to make the code more robust.

just my 2 cents,
 walter



>>  
>>      info->status.rates[0].idx = retries->rate[0];
>>      info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
>> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>>          info->status.rates[i].count = 1; // ((i==retry-1) && success
>> ? 1:2);
>>      }
>>      for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
>> -        info->status.rates[i].idx = retries->rate[retry-1];
>> +        info->status.rates[i].idx = retries->rate[retry - 1];
>>          info->status.rates[i].count = 1; // (success ? 1:2);
>>      }
>>      if (i<IEEE80211_TX_MAX_RATES)
>> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
>>          first_idx = info->status.rates[0].idx;
>>          ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>>          retries = &zd_retry_rates[first_idx];
>> -        if (retry < 0 || retry > retries->count) {
>> +        if (retry <= 0 || retry > retries->count)
>>              continue;
>> -        }
>>  
>> -        ZD_ASSERT(0<=retry && retry<=retries->count);
>> -        final_idx = retries->rate[retry-1];
>> +        final_idx = retries->rate[retry - 1];
>>          final_rate = zd_rates[final_idx].hw_value;
>>  
>>          if (final_rate != tx_status->rate) {
>>
>>   
> Acked-by: Benoit Papillault <benoit.papillault@...e.fr>
> 
> Regards,
> Benoit
> 
> -- 
> To unsubscribe from this list: send the line "unsubscribe
> kernel-janitors" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ