Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 May 2016 01:01:26 +0300
From:      "Andriy Voskoboinyk" <s3erios@gmail.com>
To:        "Don Lewis" <truckman@freebsd.org>
Cc:        "freebsd-wireless@freebsd.org" <freebsd-wireless@freebsd.org>
Subject:   Re: minor array overflow in ifconfig set80211chanlist()
Message-ID:  <op.yhkssoeniew4ia@localhost>
In-Reply-To: <201605162142.u4GLgs8d072880@gw.catspoiler.org>
References:  <201605162142.u4GLgs8d072880@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mon, 16 May 2016 22:42:50 +0300 =D0=B1=D1=83=D0=BB=D0=BE =D0=BD=D0=B0=D0=
=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE Don Lewis  =

<truckman@freebsd.org>:

> I asked adrian@ privately and he sent me here ...
>
> Coverity is complaining about an array overflow in set80211chanlist().=

>
> The code in question is:
>                         if (first > IEEE80211_CHAN_MAX)
>                                 errx(-1, "channel %u out of range, max=
  =

> %u",
>                                         first, IEEE80211_CHAN_MAX);
>                         setbit(chanlist.ic_channels, first);
>
> The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
> 256 and setbit() would still be called.
>
> The ifconfig man page says that channel numbers should be in the range=

> 1 to 255, so I think the correct fix would be to change this test (as
> well as others that follow) to >=3D IEEE80211_CHAN_MAX.
>
> Does that look correct?

Yes, it's correct (however, there is no driver with such big channel tab=
le,
so it cannot be reproduced right now).
+ there is an overflow in the next (last > CHAN_MAX) check too.

>
> Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.

It is already used as channel array size and max channel number;
changing it's meaning to [max array index] will require more changes
(one in regdomain_addchans(), more in net80211 and drivers).

>
>
>
> _______________________________________________
> freebsd-wireless@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
> To unsubscribe, send any mail to  =

> "freebsd-wireless-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.yhkssoeniew4ia>