From: Kalle Valo <kvalo@qca.qualcomm.com>
To: <rmani@qca.qualcomm.com>
Cc: <linux-wireless@vger.kernel.org>,
ath6kl-devel <ath6kl-devel@qualcomm.com>
Subject: Re: [PATCH 2/3] ath6kl: Check for valid rate table index
Date: Fri, 21 Sep 2012 12:16:51 +0300 [thread overview]
Message-ID: <505C3083.9090408@qca.qualcomm.com> (raw)
In-Reply-To: <1348122068-24648-2-git-send-email-rmani@qca.qualcomm.com>
On 09/20/2012 09:21 AM, rmani@qca.qualcomm.com wrote:
> From: Raja Mani <rmani@qca.qualcomm.com>
>
> There are 28 items defined in rate table array 'wmi_rate_tbl'.
> The rate table index (reply->rate_index) in ath6kl_wmi_bitrate_reply_rx()
> func is not checked for the valid max limit index before accessing
> rate table array. There may be some incidents to get memory crashes
> without safe max check. Fix this.
>
> Found this on code review.
>
> Signed-off-by: Raja Mani <rmani@qca.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath6kl/wmi.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
> index d5263ff..666f56d 100644
> --- a/drivers/net/wireless/ath/ath6kl/wmi.c
> +++ b/drivers/net/wireless/ath/ath6kl/wmi.c
> @@ -1171,6 +1171,9 @@ static int ath6kl_wmi_bitrate_reply_rx(struct wmi *wmi, u8 *datap, int len)
> rate = RATE_AUTO;
> } else {
> index = reply->rate_index & 0x7f;
> + if (index > (RATE_MCS_7_40 + 1))
> + return -EINVAL;
Please add WARN_ON_ONCE() to catch this easily:
if (WARN_ON_ONCE(index > (RATE_MCS_7_40 + 1)))
return -EINVAL;
Kalle
next prev parent reply other threads:[~2012-09-21 9:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 6:21 [PATCH 1/3] ath6kl: Avoid null ptr dereference while printing reg domain pair rmani
2012-09-20 6:21 ` [PATCH 2/3] ath6kl: Check for valid rate table index rmani
2012-09-21 9:16 ` Kalle Valo [this message]
2012-09-20 6:21 ` [PATCH 3/3] ath6kl: Check for valid endpoint ID values in ath6kl_control_tx() rmani
2012-09-21 9:18 ` Kalle Valo
2012-09-21 9:34 ` Raja Mani
2012-09-21 9:35 ` Raja Mani
2012-09-21 9:14 ` [PATCH 1/3] ath6kl: Avoid null ptr dereference while printing reg domain pair Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=505C3083.9090408@qca.qualcomm.com \
--to=kvalo@qca.qualcomm.com \
--cc=ath6kl-devel@qualcomm.com \
--cc=linux-wireless@vger.kernel.org \
--cc=rmani@qca.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.