From: Benoit PAPILLAULT <benoit.papillault@free.fr>
To: "Dan Carpenter" <error27@gmail.com>,
"Daniel Drake" <dsd@gentoo.org>,
"Ulrich Kunitz" <kune@deine-taler.de>,
"John W. Linville" <linville@tuxdriver.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Luis R. Rodriguez" <lrodriguez@atheros.com>,
"André Goddard Rosa" <andre.goddard@gmail.com>,
"Benoit PAPILLAULT" <benoit.papillault@free.fr>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow
Date: Sat, 27 Feb 2010 14:20:31 +0000 [thread overview]
Message-ID: <4B892A2F.2040307@free.fr> (raw)
In-Reply-To: <20100227061234.GA14323@bicker>
Dan Carpenter a écrit :
> The first chunk fixes a debugging assert to print a warning about array underflows.
> The second chunk corrects a potential array underflow. I also removed an assert
> in the second chunk because it can no longer happen.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> This was found by a static check and compile tested only. Please review carefully.
>
> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c b/drivers/net/wireless/zd1211rw/zd_mac.c
> index f14deb0..ead2f2c 100644
> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> + ZD_ASSERT(1 <= retry && retry <= retries->count);
>
Note: normal hardware always report a tx_status->retry >= 1. There are 2
code paths to initialize retry itself : either tx_status is NULL and
then retry=1 (so we are safe), or tx_status is not NULL and retry =
tx_status->retry + success >=1 (so we are safe again).
However, I wonder how we should handle if it happens that the HW reports
a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
programming errors, not bogus hardware. Comments?
>
> info->status.rates[0].idx = retries->rate[0];
> info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> info->status.rates[i].count = 1; // ((i=retry-1) && success ? 1:2);
> }
> for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
> - info->status.rates[i].idx = retries->rate[retry-1];
> + info->status.rates[i].idx = retries->rate[retry - 1];
> info->status.rates[i].count = 1; // (success ? 1:2);
> }
> if (i<IEEE80211_TX_MAX_RATES)
> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - if (retry < 0 || retry > retries->count) {
> + if (retry <= 0 || retry > retries->count)
> continue;
> - }
>
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> - final_idx = retries->rate[retry-1];
> + final_idx = retries->rate[retry - 1];
> final_rate = zd_rates[final_idx].hw_value;
>
> if (final_rate != tx_status->rate) {
>
>
Acked-by: Benoit Papillault <benoit.papillault@free.fr>
Regards,
Benoit
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Benoit PAPILLAULT <benoit.papillault@free.fr>
To: "Dan Carpenter" <error27@gmail.com>,
"Daniel Drake" <dsd@gentoo.org>,
"Ulrich Kunitz" <kune@deine-taler.de>,
"John W. Linville" <linville@tuxdriver.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Luis R. Rodriguez" <lrodriguez@atheros.com>,
"André Goddard Rosa" <andre.goddard@gmail.com>,
"Benoit PAPILLAULT" <benoit.papillault@free.fr>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow
Date: Sat, 27 Feb 2010 15:20:31 +0100 [thread overview]
Message-ID: <4B892A2F.2040307@free.fr> (raw)
In-Reply-To: <20100227061234.GA14323@bicker>
Dan Carpenter a écrit :
> The first chunk fixes a debugging assert to print a warning about array underflows.
> The second chunk corrects a potential array underflow. I also removed an assert
> in the second chunk because it can no longer happen.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> ---
> This was found by a static check and compile tested only. Please review carefully.
>
> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c b/drivers/net/wireless/zd1211rw/zd_mac.c
> index f14deb0..ead2f2c 100644
> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> + ZD_ASSERT(1 <= retry && retry <= retries->count);
>
Note: normal hardware always report a tx_status->retry >= 1. There are 2
code paths to initialize retry itself : either tx_status is NULL and
then retry=1 (so we are safe), or tx_status is not NULL and retry =
tx_status->retry + success >=1 (so we are safe again).
However, I wonder how we should handle if it happens that the HW reports
a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
programming errors, not bogus hardware. Comments?
>
> info->status.rates[0].idx = retries->rate[0];
> info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb,
> info->status.rates[i].count = 1; // ((i==retry-1) && success ? 1:2);
> }
> for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
> - info->status.rates[i].idx = retries->rate[retry-1];
> + info->status.rates[i].idx = retries->rate[retry - 1];
> info->status.rates[i].count = 1; // (success ? 1:2);
> }
> if (i<IEEE80211_TX_MAX_RATES)
> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
> first_idx = info->status.rates[0].idx;
> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
> retries = &zd_retry_rates[first_idx];
> - if (retry < 0 || retry > retries->count) {
> + if (retry <= 0 || retry > retries->count)
> continue;
> - }
>
> - ZD_ASSERT(0<=retry && retry<=retries->count);
> - final_idx = retries->rate[retry-1];
> + final_idx = retries->rate[retry - 1];
> final_rate = zd_rates[final_idx].hw_value;
>
> if (final_rate != tx_status->rate) {
>
>
Acked-by: Benoit Papillault <benoit.papillault@free.fr>
Regards,
Benoit
next prev parent reply other threads:[~2010-02-27 14:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-27 6:12 [patch] zd1211rw: fix potential array underflow Dan Carpenter
2010-02-27 6:12 ` Dan Carpenter
2010-02-27 14:20 ` Benoit PAPILLAULT
2010-02-27 14:20 ` Benoit PAPILLAULT [this message]
2010-02-27 14:20 ` Benoit PAPILLAULT
2010-02-27 17:27 ` walter harms
2010-02-27 17:27 ` walter harms
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B892A2F.2040307@free.fr \
--to=benoit.papillault@free.fr \
--cc=andre.goddard@gmail.com \
--cc=dsd@gentoo.org \
--cc=error27@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=kernel-janitors@vger.kernel.org \
--cc=kune@deine-taler.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=lrodriguez@atheros.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.