From: walter harms <wharms@bfs.de>
To: Benoit PAPILLAULT <benoit.papillault@free.fr>
Cc: "Dan Carpenter" <error27@gmail.com>,
"Daniel Drake" <dsd@gentoo.org>,
"Ulrich Kunitz" <kune@deine-taler.de>,
"John W. Linville" <linville@tuxdriver.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Luis R. Rodriguez" <lrodriguez@atheros.com>,
"André Goddard Rosa" <andre.goddard@gmail.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow
Date: Sat, 27 Feb 2010 17:27:30 +0000 [thread overview]
Message-ID: <4B895602.6010801@bfs.de> (raw)
In-Reply-To: <4B892A2F.2040307@free.fr>
Benoit PAPILLAULT schrieb:
> Dan Carpenter a écrit :
>> The first chunk fixes a debugging assert to print a warning about
>> array underflows.
>> The second chunk corrects a potential array underflow. I also removed
>> an assert
>> in the second chunk because it can no longer happen.
>>
>> Signed-off-by: Dan Carpenter <error27@gmail.com>
>> ---
>> This was found by a static check and compile tested only. Please
>> review carefully.
>>
>> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c
>> b/drivers/net/wireless/zd1211rw/zd_mac.c
>> index f14deb0..ead2f2c 100644
>> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
>> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
>> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>> first_idx = info->status.rates[0].idx;
>> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>> retries = &zd_retry_rates[first_idx];
>> - ZD_ASSERT(0<=retry && retry<=retries->count);
>> + ZD_ASSERT(1 <= retry && retry <= retries->count);
>>
> Note: normal hardware always report a tx_status->retry >= 1. There are 2
> code paths to initialize retry itself : either tx_status is NULL and
> then retry=1 (so we are safe), or tx_status is not NULL and retry > tx_status->retry + success >=1 (so we are safe again).
>
> However, I wonder how we should handle if it happens that the HW reports
> a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
> programming errors, not bogus hardware. Comments?
Simply assume the worst, so far i see the patch does not
add more code nor should it change normal behavier.
This will help to make the code more robust.
just my 2 cents,
walter
>>
>> info->status.rates[0].idx = retries->rate[0];
>> info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
>> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>> info->status.rates[i].count = 1; // ((i=retry-1) && success
>> ? 1:2);
>> }
>> for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
>> - info->status.rates[i].idx = retries->rate[retry-1];
>> + info->status.rates[i].idx = retries->rate[retry - 1];
>> info->status.rates[i].count = 1; // (success ? 1:2);
>> }
>> if (i<IEEE80211_TX_MAX_RATES)
>> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
>> first_idx = info->status.rates[0].idx;
>> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>> retries = &zd_retry_rates[first_idx];
>> - if (retry < 0 || retry > retries->count) {
>> + if (retry <= 0 || retry > retries->count)
>> continue;
>> - }
>>
>> - ZD_ASSERT(0<=retry && retry<=retries->count);
>> - final_idx = retries->rate[retry-1];
>> + final_idx = retries->rate[retry - 1];
>> final_rate = zd_rates[final_idx].hw_value;
>>
>> if (final_rate != tx_status->rate) {
>>
>>
> Acked-by: Benoit Papillault <benoit.papillault@free.fr>
>
> Regards,
> Benoit
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: walter harms <wharms@bfs.de>
To: Benoit PAPILLAULT <benoit.papillault@free.fr>
Cc: "Dan Carpenter" <error27@gmail.com>,
"Daniel Drake" <dsd@gentoo.org>,
"Ulrich Kunitz" <kune@deine-taler.de>,
"John W. Linville" <linville@tuxdriver.com>,
"Johannes Berg" <johannes@sipsolutions.net>,
"Luis R. Rodriguez" <lrodriguez@atheros.com>,
"André Goddard Rosa" <andre.goddard@gmail.com>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] zd1211rw: fix potential array underflow
Date: Sat, 27 Feb 2010 18:27:30 +0100 [thread overview]
Message-ID: <4B895602.6010801@bfs.de> (raw)
In-Reply-To: <4B892A2F.2040307@free.fr>
Benoit PAPILLAULT schrieb:
> Dan Carpenter a écrit :
>> The first chunk fixes a debugging assert to print a warning about
>> array underflows.
>> The second chunk corrects a potential array underflow. I also removed
>> an assert
>> in the second chunk because it can no longer happen.
>>
>> Signed-off-by: Dan Carpenter <error27@gmail.com>
>> ---
>> This was found by a static check and compile tested only. Please
>> review carefully.
>>
>> diff --git a/drivers/net/wireless/zd1211rw/zd_mac.c
>> b/drivers/net/wireless/zd1211rw/zd_mac.c
>> index f14deb0..ead2f2c 100644
>> --- a/drivers/net/wireless/zd1211rw/zd_mac.c
>> +++ b/drivers/net/wireless/zd1211rw/zd_mac.c
>> @@ -350,7 +350,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>> first_idx = info->status.rates[0].idx;
>> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>> retries = &zd_retry_rates[first_idx];
>> - ZD_ASSERT(0<=retry && retry<=retries->count);
>> + ZD_ASSERT(1 <= retry && retry <= retries->count);
>>
> Note: normal hardware always report a tx_status->retry >= 1. There are 2
> code paths to initialize retry itself : either tx_status is NULL and
> then retry=1 (so we are safe), or tx_status is not NULL and retry =
> tx_status->retry + success >=1 (so we are safe again).
>
> However, I wonder how we should handle if it happens that the HW reports
> a tx_status->retry = 0. I think ZD_ASSERT purpose is to catch
> programming errors, not bogus hardware. Comments?
Simply assume the worst, so far i see the patch does not
add more code nor should it change normal behavier.
This will help to make the code more robust.
just my 2 cents,
walter
>>
>> info->status.rates[0].idx = retries->rate[0];
>> info->status.rates[0].count = 1; // (retry > 1 ? 2 : 1);
>> @@ -360,7 +360,7 @@ static void zd_mac_tx_status(struct ieee80211_hw
>> *hw, struct sk_buff *skb,
>> info->status.rates[i].count = 1; // ((i==retry-1) && success
>> ? 1:2);
>> }
>> for (; i<IEEE80211_TX_MAX_RATES && i<retry; i++) {
>> - info->status.rates[i].idx = retries->rate[retry-1];
>> + info->status.rates[i].idx = retries->rate[retry - 1];
>> info->status.rates[i].count = 1; // (success ? 1:2);
>> }
>> if (i<IEEE80211_TX_MAX_RATES)
>> @@ -424,12 +424,10 @@ void zd_mac_tx_failed(struct urb *urb)
>> first_idx = info->status.rates[0].idx;
>> ZD_ASSERT(0<=first_idx && first_idx<ARRAY_SIZE(zd_retry_rates));
>> retries = &zd_retry_rates[first_idx];
>> - if (retry < 0 || retry > retries->count) {
>> + if (retry <= 0 || retry > retries->count)
>> continue;
>> - }
>>
>> - ZD_ASSERT(0<=retry && retry<=retries->count);
>> - final_idx = retries->rate[retry-1];
>> + final_idx = retries->rate[retry - 1];
>> final_rate = zd_rates[final_idx].hw_value;
>>
>> if (final_rate != tx_status->rate) {
>>
>>
> Acked-by: Benoit Papillault <benoit.papillault@free.fr>
>
> Regards,
> Benoit
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2010-02-27 17:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-27 6:12 [patch] zd1211rw: fix potential array underflow Dan Carpenter
2010-02-27 6:12 ` Dan Carpenter
2010-02-27 14:20 ` Benoit PAPILLAULT
2010-02-27 14:20 ` Benoit PAPILLAULT
2010-02-27 17:27 ` walter harms [this message]
2010-02-27 17:27 ` walter harms
2010-02-27 14:20 ` Benoit PAPILLAULT
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B895602.6010801@bfs.de \
--to=wharms@bfs.de \
--cc=andre.goddard@gmail.com \
--cc=benoit.papillault@free.fr \
--cc=dsd@gentoo.org \
--cc=error27@gmail.com \
--cc=johannes@sipsolutions.net \
--cc=kernel-janitors@vger.kernel.org \
--cc=kune@deine-taler.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=lrodriguez@atheros.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.