From owner-freebsd-wireless@freebsd.org Mon May 16 22:01:37 2016 Return-Path: Delivered-To: freebsd-wireless@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38998B389BA for ; Mon, 16 May 2016 22:01:37 +0000 (UTC) (envelope-from s3erios@gmail.com) Received: from mail-lf0-x242.google.com (mail-lf0-x242.google.com [IPv6:2a00:1450:4010:c07::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B334F1CD2; Mon, 16 May 2016 22:01:36 +0000 (UTC) (envelope-from s3erios@gmail.com) Received: by mail-lf0-x242.google.com with SMTP id y84so15662361lfc.3; Mon, 16 May 2016 15:01:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:subject:references:date:cc:mime-version :content-transfer-encoding:from:message-id:in-reply-to:user-agent; bh=6+w87xeImJ320jM+9etBl6FWMtwMJ++pCHMkWRVFkdQ=; b=0PC5ZcXOiaLTjJ/J1TNXDO9CUOEEzqqLl+QB2oJW5DUGcLZV1jz4m5g/puC7FeTcd8 voCIsFYLZuNXhp8nc9Ps7ehL9Z9TYaXoJC/wQm4BNg/9Rqvw4e+Cv8ACuH82yFEUdPJm aQW8w89jthit5djG8x63qsCbOj2FRQ6yU6wEIqMlj/29vScP3wAtfZRD5WoF/iPCJBqZ PsZ7BDX8ulUNdTUbtF0JO3HlSAc0FIRlpzicns7aOgbg3bA1LL+6l9duh1eOU33mARsh OmQvxvD00UvDUSfuhS+xWaQmfcEpUHu6AVui7WSTg3za1LkIWU/ESQVUlO08NmYHobOb JNKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:references:date:cc:mime-version :content-transfer-encoding:from:message-id:in-reply-to:user-agent; bh=6+w87xeImJ320jM+9etBl6FWMtwMJ++pCHMkWRVFkdQ=; b=awM7hOyusqFj8CjbknE6g/QhQxoeJ6N1xWOe2tn2Y18B8sIWw2ImpynE76pNsGGtz1 EDtsAJmb8QcDpoT2TkATx4zCf+ndMyf3kln/3T+8CSvI39+BExqz0ceWWe4MWmqWzMPb UQywPYRIIX5KG8t8Z+R6tcqQDddiEYZ7nndlvevlHt41wpEdKw7E/dg3M2HTZZiYIGvd usIkChddY7WrXtxS11+on2r8jR49HGjZouGHCLoI7f6U+D21u+ME5DBl6bSU27tGZLDl 0pUVbpMh9g6q8SXwVBWo12AphT8jUjge1qXP7sABUsAV1I9pXL/9XTor2CtmDqi69XmV g2EQ== X-Gm-Message-State: AOPr4FVuVdgigztWXL7PYwo20VSlGI4pyhij6aNCrf5e7uM8q0gFzHz2ov86EMXGExuiGQ== X-Received: by 10.25.35.145 with SMTP id j139mr10728791lfj.55.1463436094664; Mon, 16 May 2016 15:01:34 -0700 (PDT) Received: from localhost (host-176-37-109-22.la.net.ua. [176.37.109.22]) by smtp.gmail.com with ESMTPSA id q1sm5499828lbo.4.2016.05.16.15.01.31 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 16 May 2016 15:01:33 -0700 (PDT) Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "Don Lewis" Subject: Re: minor array overflow in ifconfig set80211chanlist() References: <201605162142.u4GLgs8d072880@gw.catspoiler.org> Date: Tue, 17 May 2016 01:01:26 +0300 Cc: "freebsd-wireless@freebsd.org" MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable From: "Andriy Voskoboinyk" Message-ID: In-Reply-To: <201605162142.u4GLgs8d072880@gw.catspoiler.org> User-Agent: Opera Mail/12.16 (FreeBSD) X-BeenThere: freebsd-wireless@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussions of 802.11 stack, tools device driver development." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 22:01:37 -0000 Mon, 16 May 2016 22:42:50 +0300 =D0=B1=D1=83=D0=BB=D0=BE =D0=BD=D0=B0=D0= =BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE Don Lewis = : > I asked adrian@ privately and he sent me here ... > > Coverity is complaining about an array overflow in set80211chanlist().= > > The code in question is: > if (first > IEEE80211_CHAN_MAX) > errx(-1, "channel %u out of range, max= = > %u", > first, IEEE80211_CHAN_MAX); > setbit(chanlist.ic_channels, first); > > The value of IEEE80211_CHAN_MAX is 256, so first could be as large as > 256 and setbit() would still be called. > > The ifconfig man page says that channel numbers should be in the range= > 1 to 255, so I think the correct fix would be to change this test (as > well as others that follow) to >=3D IEEE80211_CHAN_MAX. > > Does that look correct? Yes, it's correct (however, there is no driver with such big channel tab= le, so it cannot be reproduced right now). + there is an overflow in the next (last > CHAN_MAX) check too. > > Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255. It is already used as channel array size and max channel number; changing it's meaning to [max array index] will require more changes (one in regdomain_addchans(), more in net80211 and drivers). > > > > _______________________________________________ > freebsd-wireless@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-wireless > To unsubscribe, send any mail to = > "freebsd-wireless-unsubscribe@freebsd.org"