Date: Tue, 17 May 2016 01:01:26 +0300 From: "Andriy Voskoboinyk" <s3erios@gmail.com> To: "Don Lewis" <truckman@freebsd.org> Cc: "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org> Subject: Re: minor array overflow in ifconfig set80211chanlist() Message-ID: <op.yhkssoeniew4ia@localhost> In-Reply-To: <201605162142.u4GLgs8d072880@gw.catspoiler.org> References: <201605162142.u4GLgs8d072880@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mon, 16 May 2016 22:42:50 +0300 було написано Don Lewis <truckman@freebsd.org>: > I asked adrian@ privately and he sent me here ... > > Coverity is complaining about an array overflow in set80211chanlist(). > > The code in question is: > if (first > IEEE80211_CHAN_MAX) > errx(-1, "channel %u out of range, max > %u", > first, IEEE80211_CHAN_MAX); > setbit(chanlist.ic_channels, first); > > The value of IEEE80211_CHAN_MAX is 256, so first could be as large as > 256 and setbit() would still be called. > > The ifconfig man page says that channel numbers should be in the range > 1 to 255, so I think the correct fix would be to change this test (as > well as others that follow) to >= IEEE80211_CHAN_MAX. > > Does that look correct? Yes, it's correct (however, there is no driver with such big channel table, so it cannot be reproduced right now). + there is an overflow in the next (last > CHAN_MAX) check too. > > Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255. It is already used as channel array size and max channel number; changing it's meaning to [max array index] will require more changes (one in regdomain_addchans(), more in net80211 and drivers). > > > > _______________________________________________ > freebsd-wireless@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-wireless > To unsubscribe, send any mail to > "freebsd-wireless-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.yhkssoeniew4ia>