Date: Sun, 14 Feb 2016 17:13:25 +0200 From: "Andriy Voskoboinyk" <avos@freebsd.org> To: "Hans Petter Selasky" <hselasky@freebsd.org> Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r295607 - head/sys/dev/usb/wlan Message-ID: <op.yctwknx14dikkl@localhost> In-Reply-To: <201602140716.u1E7Gaot040504@repo.freebsd.org> References: <201602140716.u1E7Gaot040504@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sun, 14 Feb 2016 09:16:36 +0200 було написано Hans Petter Selasky <hselasky@freebsd.org>: > Author: hselasky > Date: Sun Feb 14 07:16:36 2016 > New Revision: 295607 > URL: https://svnweb.freebsd.org/changeset/base/295607 > > Log: > Reduce the number of supported WLAN keys in the rum driver, else we > risk bit shifting overflows. Found by D5245 / PVS. > MFC after: 1 week Hardware crypto support was never merged (so, there is nothing to MFC). > > Modified: > head/sys/dev/usb/wlan/if_rum.c > head/sys/dev/usb/wlan/if_rumreg.h > > Modified: head/sys/dev/usb/wlan/if_rum.c > ============================================================================== > --- head/sys/dev/usb/wlan/if_rum.c Sun Feb 14 02:28:59 2016 (r295606) > +++ head/sys/dev/usb/wlan/if_rum.c Sun Feb 14 07:16:36 2016 (r295607) > ... > --- skipped --- > ... > Modified: head/sys/dev/usb/wlan/if_rumreg.h > ============================================================================== > --- head/sys/dev/usb/wlan/if_rumreg.h Sun Feb 14 02:28:59 2016 (r295606) > +++ head/sys/dev/usb/wlan/if_rumreg.h Sun Feb 14 07:16:36 2016 (r295607) > @@ -47,7 +47,7 @@ > * H/w encryption/decryption support > */ > #define KEY_SIZE (IEEE80211_KEYBUF_SIZE + IEEE80211_MICBUF_SIZE) > -#define RT2573_ADDR_MAX 64 > +#define RT2573_ADDR_MAX (32 / RT2573_SKEY_MAX) > #define RT2573_SKEY_MAX 4 > #define RT2573_SKEY(vap, kidx) (0x1000 + ((vap) * RT2573_SKEY_MAX + \ > Reason of this change? (device table has 64 entries, not 8). I have not seen any overflows, caused by it: 1) vap->iv_key_set = rum_key_set; vap->iv_key_delete = rum_key_delete; vap->iv_update_beacon = rum_update_beacon; vap->iv_max_aid = RT2573_ADDR_MAX; // not the case usb_callout_init_mtx(&rvp->ratectl_ch, &sc->sc_mtx, 0); TASK_INIT(&rvp->ratectl_task, 0, rum_ratectl_task, rvp); 2) k < &vap->iv_nw_keys[IEEE80211_WEP_NKID])) { if (!(k->wk_flags & IEEE80211_KEY_SWCRYPT)) { RUM_LOCK(sc); for (i = 0; i < RT2573_ADDR_MAX; i++) { // can hold [0;63] without any overflows; // keys_bmap is 64-bit, so there is no overflow too if ((sc->keys_bmap & (1ULL << i)) == 0) { sc->keys_bmap |= 1ULL << i; *keyix = i; 3) } } RUM_UNLOCK(sc); if (i == RT2573_ADDR_MAX) { // like the first case device_printf(sc->sc_dev, "%s: no free space in the key table\n", __func__);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.yctwknx14dikkl>