diff mbox

ath9k: Fix read buffer overflow

Message ID 4A811464.4030108@gmail.com (mailing list archive)
State Not Applicable, archived
Headers show

Commit Message

Roel Kluin Aug. 11, 2009, 6:49 a.m. UTC
Prevent a read of powInfo[-1] in the first iteration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

John W. Linville Aug. 11, 2009, 6:25 p.m. UTC | #1
Comments from the ath9k crowd?

On Tue, Aug 11, 2009 at 08:49:08AM +0200, Roel Kluin wrote:
> Prevent a read of powInfo[-1] in the first iteration.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
> index ce0e86c..e67db2c 100644
> --- a/drivers/net/wireless/ath/ath9k/eeprom.c
> +++ b/drivers/net/wireless/ath/ath9k/eeprom.c
> @@ -150,10 +150,10 @@ static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
>  						       IS_CHAN_2GHZ(chan))) {
>  				matchIndex = i;
>  				break;
> -			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> -						      IS_CHAN_2GHZ(chan))) &&
> -				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> -						      IS_CHAN_2GHZ(chan)))) {
> +			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> +				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> +						IS_CHAN_2GHZ(chan))) {
>  				lowIndex = i - 1;
>  				break;
>  			}
> @@ -268,10 +268,10 @@ static void ath9k_hw_get_target_powers(struct ath_hw *ah,
>  				matchIndex = i;
>  				break;
>  			} else
> -				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> -						       IS_CHAN_2GHZ(chan))) &&
> -				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> -						       IS_CHAN_2GHZ(chan)))) {
> +				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> +				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> +						IS_CHAN_2GHZ(chan))) {
>  					lowIndex = i - 1;
>  					break;
>  				}
>
John W. Linville Aug. 20, 2009, 2:52 p.m. UTC | #2
Anybody?

On Tue, Aug 11, 2009 at 02:25:14PM -0400, John W. Linville wrote:
> Comments from the ath9k crowd?
> 
> On Tue, Aug 11, 2009 at 08:49:08AM +0200, Roel Kluin wrote:
> > Prevent a read of powInfo[-1] in the first iteration.
> > 
> > Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> > ---
> > diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
> > index ce0e86c..e67db2c 100644
> > --- a/drivers/net/wireless/ath/ath9k/eeprom.c
> > +++ b/drivers/net/wireless/ath/ath9k/eeprom.c
> > @@ -150,10 +150,10 @@ static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
> >  						       IS_CHAN_2GHZ(chan))) {
> >  				matchIndex = i;
> >  				break;
> > -			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > -						      IS_CHAN_2GHZ(chan))) &&
> > -				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > -						      IS_CHAN_2GHZ(chan)))) {
> > +			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> > +				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > +						IS_CHAN_2GHZ(chan))) {
> >  				lowIndex = i - 1;
> >  				break;
> >  			}
> > @@ -268,10 +268,10 @@ static void ath9k_hw_get_target_powers(struct ath_hw *ah,
> >  				matchIndex = i;
> >  				break;
> >  			} else
> > -				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > -						       IS_CHAN_2GHZ(chan))) &&
> > -				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > -						       IS_CHAN_2GHZ(chan)))) {
> > +				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
> > +						IS_CHAN_2GHZ(chan)) && i > 0 &&
> > +				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
> > +						IS_CHAN_2GHZ(chan))) {
> >  					lowIndex = i - 1;
> >  					break;
> >  				}
> > 
> 
> -- 
> John W. Linville		Someday the world will need a hero, and you
> linville@tuxdriver.com			might be all we have.  Be ready.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
Luis Rodriguez Aug. 24, 2009, 11:34 p.m. UTC | #3
On Thu, Aug 20, 2009 at 7:52 AM, John W. Linville<linville@tuxdriver.com> wrote:
> Anybody?

Sorry for the delay,

Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>

This is actually pretty sloppy existing code and I'd prefer to see
this nasty POS code rewritten to avoid such nasty checks from the
start. Also notice how both ath9k_hw_get_legacy_target_powers() and
ath9k_hw_get_target_powers() do exactly the same, except they use a
different name for the bool, a different structure for the calibrated
power targets (array size changes on one element of the struct). But
this patch also fixes another not-noted potential negative rade index
access: lowIndex could be -1 under a special circumstance and this
would prevent that negative index access as well on powInfo[lowIndex].
So although this probably just does not happen right now its safer to
have a fix for two of these theoretical negative array index access
than nothing at hand; a proper rewrite of these two routines as I want
it would require quite a few changes here and more testing. Mentally
lets add that to the TODO list..

  Luis
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
index ce0e86c..e67db2c 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -150,10 +150,10 @@  static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
 						       IS_CHAN_2GHZ(chan))) {
 				matchIndex = i;
 				break;
-			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						      IS_CHAN_2GHZ(chan))) &&
-				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						      IS_CHAN_2GHZ(chan)))) {
+			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						IS_CHAN_2GHZ(chan)) && i > 0 &&
+				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						IS_CHAN_2GHZ(chan))) {
 				lowIndex = i - 1;
 				break;
 			}
@@ -268,10 +268,10 @@  static void ath9k_hw_get_target_powers(struct ath_hw *ah,
 				matchIndex = i;
 				break;
 			} else
-				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						       IS_CHAN_2GHZ(chan))) &&
-				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						       IS_CHAN_2GHZ(chan)))) {
+				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						IS_CHAN_2GHZ(chan)) && i > 0 &&
+				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						IS_CHAN_2GHZ(chan))) {
 					lowIndex = i - 1;
 					break;
 				}