Date: Sun, 14 Feb 2016 17:13:25 +0200 From: "Andriy Voskoboinyk" <avos@freebsd.org> To: "Hans Petter Selasky" <hselasky@freebsd.org> Cc: "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "svn-src-head@freebsd.org" <svn-src-head@freebsd.org> Subject: Re: svn commit: r295607 - head/sys/dev/usb/wlan Message-ID: <op.yctwknx14dikkl@localhost> In-Reply-To: <201602140716.u1E7Gaot040504@repo.freebsd.org> References: <201602140716.u1E7Gaot040504@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sun, 14 Feb 2016 09:16:36 +0200 =D0=B1=D1=83=D0=BB=D0=BE =D0=BD=D0=B0=D0= =BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE Hans Petter Selasky = <hselasky@freebsd.org>: > Author: hselasky > Date: Sun Feb 14 07:16:36 2016 > New Revision: 295607 > URL: https://svnweb.freebsd.org/changeset/base/295607 > > Log: > Reduce the number of supported WLAN keys in the rum driver, else we > risk bit shifting overflows. Found by D5245 / PVS. > MFC after: 1 week Hardware crypto support was never merged (so, there is nothing to MFC). > > Modified: > head/sys/dev/usb/wlan/if_rum.c > head/sys/dev/usb/wlan/if_rumreg.h > > Modified: head/sys/dev/usb/wlan/if_rum.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- head/sys/dev/usb/wlan/if_rum.c Sun Feb 14 02:28:59 2016 (r295606) > +++ head/sys/dev/usb/wlan/if_rum.c Sun Feb 14 07:16:36 2016 (r295607) > ... > --- skipped --- > ... > Modified: head/sys/dev/usb/wlan/if_rumreg.h > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D > --- head/sys/dev/usb/wlan/if_rumreg.h Sun Feb 14 02:28:59 2016 (r29560= 6) > +++ head/sys/dev/usb/wlan/if_rumreg.h Sun Feb 14 07:16:36 2016 (r29560= 7) > @@ -47,7 +47,7 @@ > * H/w encryption/decryption support > */ > #define KEY_SIZE (IEEE80211_KEYBUF_SIZE + IEEE80211_MICBUF_SIZE) > -#define RT2573_ADDR_MAX 64 > +#define RT2573_ADDR_MAX (32 / RT2573_SKEY_MAX) > #define RT2573_SKEY_MAX 4 > #define RT2573_SKEY(vap, kidx) (0x1000 + ((vap) * RT2573_SKEY_MAX + \ > Reason of this change? (device table has 64 entries, not 8). I have not seen any overflows, caused by it: 1) vap->iv_key_set =3D rum_key_set; vap->iv_key_delete =3D rum_key_delete; vap->iv_update_beacon =3D rum_update_beacon; vap->iv_max_aid =3D RT2573_ADDR_MAX; // not the case usb_callout_init_mtx(&rvp->ratectl_ch, &sc->sc_mtx, 0); TASK_INIT(&rvp->ratectl_task, 0, rum_ratectl_task, rvp); 2) k < &vap->iv_nw_keys[IEEE80211_WEP_NKID])) { if (!(k->wk_flags & IEEE80211_KEY_SWCRYPT)) { RUM_LOCK(sc); for (i =3D 0; i < RT2573_ADDR_MAX; i++) { // can hold [0;63] wit= hout = any overflows; // keys_bmap is 64-bit, so there is no overflow too if ((sc->keys_bmap & (1ULL << i)) =3D=3D 0) { sc->keys_bmap |=3D 1ULL << i; *keyix =3D i; 3) } } RUM_UNLOCK(sc); if (i =3D=3D RT2573_ADDR_MAX) { // like the first case device_printf(sc->sc_dev, "%s: no free space in the key table\n", __func__);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.yctwknx14dikkl>