Date: Tue, 15 Dec 2015 09:56:18 -0800 From: Adrian Chadd <adrian@freebsd.org> To: Andriy Voskoboinyk <s3erios@gmail.com> Cc: Kevin Lo <kevlo@freebsd.org>, "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org> Subject: Re: coverity scan results for urtwn Message-ID: <CAJ-VmomBz2Nc42RD5ovov=moRx_DKBRGuLQB16FPQZwWTjyUYQ@mail.gmail.com> In-Reply-To: <op.x9o5ezxoiew4ia@localhost> References: <CAJ-VmonZYYdhbLhkE=gAGPp6%2B0sq7fhZNvJJytyXedT8MQOtLw@mail.gmail.com> <op.x9o5ezxoiew4ia@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
heh, wanna submit a fix? :)
-a
On 15 December 2015 at 09:55, Andriy Voskoboinyk <s3erios@gmail.com> wrote:
>> hiya,
>>
>> this popped up from the freebsd.org coverity scan:
>>
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1343338: Memory - illegal accesses (OVERRUN)
>> /sys/dev/usb/wlan/if_urtwn.c: 4288 in urtwn_r88e_newassoc()
>> 4282
>> 4283 if (!isnew)
>> 4284 return;
>> 4285
>> 4286 URTWN_NT_LOCK(sc);
>> 4287 for (id = 0; id <= URTWN_MACID_MAX(sc); id++) {
>>>>>
>>>>> CID 1343338: Memory - illegal accesses (OVERRUN)
>>>>> Overrunning array "sc->node_list" of 63 8-byte elements at element
>>>>> index 63 (byte offset 504) using index "id" (which evaluates to 63).
>>
>> 4288 if (id != URTWN_MACID_BC && sc->node_list[id] ==
>> NULL) {
>> 4289 un->id = id;
>> 4290 sc->node_list[id] = ni;
>> 4291 break;
>> 4292 }
>> 4293 }
>>
>> Would one of you figure it out?
>>
>> Thanks!
>>
>>
>> -a
>
>
> #define R88E_MACID_MAX 63
> ...
> struct ieee80211_node *node_list[R88E_MACID_MAX];
>
> of course, I mean here 64, not 63 (probably, it was a bad idea to replace
> first inaccessible element with last accessible).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-VmomBz2Nc42RD5ovov=moRx_DKBRGuLQB16FPQZwWTjyUYQ>