From: Hauke Mehrtens <hauke@hauke-m.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Arend van Spriel <arend@broadcom.com>, linux-wireless@vger.kernel.org
Subject: Re: brcmsmac: use sprom from bcma
Date: Fri, 18 May 2012 21:12:37 +0200 [thread overview]
Message-ID: <4FB69F25.3040707@hauke-m.de> (raw)
In-Reply-To: <20120517191339.GA17018@elgon.mountain>
On 05/17/2012 09:13 PM, Dan Carpenter wrote:
> Hello Hauke, Arend,
>
> The patch 898d3c3b2462: "brcmsmac: use sprom from bcma" from Apr 29,
> 2012, leads to the following warning:
> drivers/net/wireless/brcm80211/brcmsmac/channel.c:645
> brcms_c_country_valid()
> error: buffer overflow 'ccode' 2 <= 2
>
> - if (ccode && brcms_c_country_valid(ccode))
> - strncpy(wlc->pub->srom_ccode, ccode, BRCM_CNTRY_BUF_SZ - 1);
> + if (sprom->alpha2 && brcms_c_country_valid(sprom->alpha2))
> ^^^^^^^^^^^^^
> This is a two character array. It's not NULL terminated.
>
> + strncpy(wlc->pub->srom_ccode, sprom->alpha2, sizeof(sprom->alpha2));
>
> But in brcms_c_country_valid() we check for the NULL terminator.
>
> 637 static bool brcms_c_country_valid(const char *ccode)
> 638 {
> 639 /*
> 640 * only allow ascii alpha uppercase for the first 2
> 641 * chars.
> 642 */
> 643 if (!((0x80 & ccode[0]) == 0 && ccode[0] >= 0x41 && ccode[0] <= 0x5A &&
> 644 (0x80 & ccode[1]) == 0 && ccode[1] >= 0x41 && ccode[1] <= 0x5A &&
> 645 ccode[2] == '\0'))
> ^^^^^^^^^^^^^^^^
> Here.
>
> 646 return false;
>
> My guess is that this works because -> leddc_on_time is mostly zero.
>
> regards,
> dan carpenter
>
Hi Dan,
your guess is probably right, but I do not know want is the best
solution to fix this. I set this to 2 byte as there are just two bytes
memory for this in the sprom. In the nvram of some SoC I also found a 3
letter code ccode=US2 and an other wrong two letter code ccode=Q2. What
is the way we should handle this?
1. just read the first 2 bytes and ignore the rest -> change
brcms_c_country_valid() and some SoC parsing code.
2. read the first 2 bytes and reject longer codes as completely invalid
(probably just found in nvram on SoCs) -> change brcms_c_country_valid()
3. read 4 (or more) bytes and let brcmsmac decide what is a valid code
-> change sprom struct and some more code
I would vote for number 2.
@Arend by the way how should the code EU or 0 be handled? It is used on
all my recent SoCs.
Hauke
next prev parent reply other threads:[~2012-05-18 19:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-17 19:13 brcmsmac: use sprom from bcma Dan Carpenter
2012-05-18 19:12 ` Hauke Mehrtens [this message]
2012-05-19 8:46 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FB69F25.3040707@hauke-m.de \
--to=hauke@hauke-m.de \
--cc=arend@broadcom.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.