Date: Mon, 16 May 2016 12:42:50 -0700 (PDT) From: Don Lewis <truckman@FreeBSD.org> To: freebsd-wireless@FreeBSD.org Subject: minor array overflow in ifconfig set80211chanlist() Message-ID: <201605162142.u4GLgs8d072880@gw.catspoiler.org>
next in thread | raw e-mail | index | archive | help
I asked adrian@ privately and he sent me here ...
Coverity is complaining about an array overflow in set80211chanlist().
The code in question is:
if (first > IEEE80211_CHAN_MAX)
errx(-1, "channel %u out of range, max %u",
first, IEEE80211_CHAN_MAX);
setbit(chanlist.ic_channels, first);
The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
256 and setbit() would still be called.
The ifconfig man page says that channel numbers should be in the range
1 to 255, so I think the correct fix would be to change this test (as
well as others that follow) to >= IEEE80211_CHAN_MAX.
Does that look correct?
Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605162142.u4GLgs8d072880>