ath9k: Fix read buffer overflow

Message ID	4A7CA188.1070706@gmail.com (mailing list archive)
State	Not Applicable, archived
Headers	show Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n77LkSCK020129 for <patchwork-linux-wireless@patchwork.kernel.org>; Fri, 7 Aug 2009 21:46:28 GMT DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=cNjrEM3dN90Susp4t2OnDkHV3Gd5y1+i9rW1OpGPZQVoy/VXgaxsHH99/ghugXZa6c CUGRHmKz7nzOzPrIMv9fFvaGTP3vxsX/8NlbCqtoSNp15wAMGlIzF4xcJIfojIvXjpWR JuRYWQU3wXX6JAHqxNvhruTUiNko1Ydnw41io= Message-ID: <4A7CA188.1070706@gmail.com> Date: Fri, 07 Aug 2009 23:50:00 +0200 From: Roel Kluin <roel.kluin@gmail.com> User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: Jouni Malinen <jmalinen@atheros.com>, linux-wireless@vger.kernel.org, ath9k-devel@venema.h4ckr.net, Andrew Morton <akpm@linux-foundation.org> Subject: [PATCH] ath9k: Fix read buffer overflow Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

4A7CA188.1070706@gmail.com (mailing list archive)

State

Not Applicable, archived

Headers

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=cNjrEM3dN90Susp4t2OnDkHV3Gd5y1+i9rW1OpGPZQVoy/VXgaxsHH99/ghugXZa6c
	CUGRHmKz7nzOzPrIMv9fFvaGTP3vxsX/8NlbCqtoSNp15wAMGlIzF4xcJIfojIvXjpWR
	JuRYWQU3wXX6JAHqxNvhruTUiNko1Ydnw41io=
Message-ID: <4A7CA188.1070706@gmail.com>
Date: Fri, 07 Aug 2009 23:50:00 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: Jouni Malinen <jmalinen@atheros.com>, linux-wireless@vger.kernel.org,
	ath9k-devel@venema.h4ckr.net, Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH] ath9k: Fix read buffer overflow
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Roel Kluin Aug. 7, 2009, 9:50 p.m. UTC

Prevent a read of powInfo[-1] in the first iteration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
The last hunk I already sent in a previous patch.

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

John W. Linville Aug. 10, 2009, 8:26 p.m. UTC | #1

On Fri, Aug 07, 2009 at 11:50:00PM +0200, Roel Kluin wrote:
> Prevent a read of powInfo[-1] in the first iteration.
> 
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> The last hunk I already sent in a previous patch.

The last two hunks, apparently -- neither of them apply.

Why on earth would you randomly include those hunks here?  Especially
if you already sent them?

Listen, I'm glad you are there to do these various clean-ups.
But honestly your patches seem to always have some problem that
requires manual intervention to apply them.  You make my life hard,
and you slow me down.  That makes John a grumpy boy.

John

diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c
index a2fda70..ef4bf89 100644
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -150,10 +150,10 @@  static void ath9k_hw_get_legacy_target_powers(struct ath_hw *ah,
 						       IS_CHAN_2GHZ(chan))) {
 				matchIndex = i;
 				break;
-			} else if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						      IS_CHAN_2GHZ(chan))) &&
-				   (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						      IS_CHAN_2GHZ(chan)))) {
+			} else if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						      IS_CHAN_2GHZ(chan)) && i > 0 &&
+				   freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						      IS_CHAN_2GHZ(chan))) {
 				lowIndex = i - 1;
 				break;
 			}
@@ -268,10 +268,10 @@  static void ath9k_hw_get_target_powers(struct ath_hw *ah,
 				matchIndex = i;
 				break;
 			} else
-				if ((freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
-						       IS_CHAN_2GHZ(chan))) &&
-				    (freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
-						       IS_CHAN_2GHZ(chan)))) {
+				if (freq < ath9k_hw_fbin2freq(powInfo[i].bChannel,
+						       IS_CHAN_2GHZ(chan)) && i > 0 &&
+				    freq > ath9k_hw_fbin2freq(powInfo[i - 1].bChannel,
+						       IS_CHAN_2GHZ(chan))) {
 					lowIndex = i - 1;
 					break;
 				}
@@ -460,7 +460,7 @@  static int ath9k_hw_4k_check_eeprom(struct ath_hw *ah)
 		integer = swab32(eep->modalHeader.antCtrlCommon);
 		eep->modalHeader.antCtrlCommon = integer;
 
-		for (i = 0; i < AR5416_MAX_CHAINS; i++) {
+		for (i = 0; i < AR5416_EEP4K_MAX_CHAINS; i++) {
 			integer = swab32(eep->modalHeader.antCtrlChain[i]);
 			eep->modalHeader.antCtrlChain[i] = integer;
 		}
@@ -914,7 +914,7 @@  static void ath9k_hw_set_4k_power_per_rate_table(struct ath_hw *ah,
 			ctlMode, numCtlModes, isHt40CtlMode,
 			(pCtlMode[ctlMode] & EXT_ADDITIVE));
 
-		for (i = 0; (i < AR5416_NUM_CTLS) &&
+		for (i = 0; (i < AR5416_EEP4K_NUM_CTLS) &&
 				pEepData->ctlIndex[i]; i++) {
 			DPRINTF(ah->ah_sc, ATH_DBG_EEPROM,
 				"  LOOP-Ctlidx %d: cfgCtl 0x%2.2x "

ath9k: Fix read buffer overflow

Commit Message

Comments

Patch