Date: Tue, 15 Dec 2015 19:55:37 +0200 From: "Andriy Voskoboinyk" <s3erios@gmail.com> To: "Adrian Chadd" <adrian@freebsd.org>, "Kevin Lo" <kevlo@freebsd.org>, "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org> Subject: Re: coverity scan results for urtwn Message-ID: <op.x9o5ezxoiew4ia@localhost> In-Reply-To: <CAJ-VmonZYYdhbLhkE=gAGPp6%2B0sq7fhZNvJJytyXedT8MQOtLw@mail.gmail.com> References: <CAJ-VmonZYYdhbLhkE=gAGPp6%2B0sq7fhZNvJJytyXedT8MQOtLw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> hiya, > > this popped up from the freebsd.org coverity scan: > > > ________________________________________________________________________________________________________ > *** CID 1343338: Memory - illegal accesses (OVERRUN) > /sys/dev/usb/wlan/if_urtwn.c: 4288 in urtwn_r88e_newassoc() > 4282 > 4283 if (!isnew) > 4284 return; > 4285 > 4286 URTWN_NT_LOCK(sc); > 4287 for (id = 0; id <= URTWN_MACID_MAX(sc); id++) { >>>> CID 1343338: Memory - illegal accesses (OVERRUN) >>>> Overrunning array "sc->node_list" of 63 8-byte elements at >>>> element index 63 (byte offset 504) using index "id" (which evaluates >>>> to 63). > 4288 if (id != URTWN_MACID_BC && sc->node_list[id] == > NULL) { > 4289 un->id = id; > 4290 sc->node_list[id] = ni; > 4291 break; > 4292 } > 4293 } > > Would one of you figure it out? > > Thanks! > > > -a #define R88E_MACID_MAX 63 ... struct ieee80211_node *node_list[R88E_MACID_MAX]; of course, I mean here 64, not 63 (probably, it was a bad idea to replace first inaccessible element with last accessible).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.x9o5ezxoiew4ia>