[patch] iwmc3200wifi: add a range check to iwm_cfg80211_get

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] iwmc3200wifi: add a range check to iwm_cfg80211_get_key()
@ 2011-10-12  8:10 Dan Carpenter
  2011-10-12  8:26 ` Samuel Ortiz
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2011-10-12  8:10 UTC (permalink / raw)
  To: Samuel Ortiz
  Cc: Intel Linux Wireless, John W. Linville, linux-wireless,
	kernel-janitors

Smatch complains that "key_index" is capped at 5 in nl80211_get_key()
but iwm->keys[] only has 4 elements.  I don't know if this is really
needed, but the other ->get_key() implementations seemed to check
for overflows so I've added a check here.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/wireless/iwmc3200wifi/cfg80211.c b/drivers/net/wireless/iwmc3200wifi/cfg80211.c
index ed57e44..c42be81 100644
--- a/drivers/net/wireless/iwmc3200wifi/cfg80211.c
+++ b/drivers/net/wireless/iwmc3200wifi/cfg80211.c
@@ -187,13 +187,17 @@ static int iwm_cfg80211_get_key(struct wiphy *wiphy, struct net_device *ndev,
 						 struct key_params*))
 {
 	struct iwm_priv *iwm = ndev_to_iwm(ndev);
-	struct iwm_key *key = &iwm->keys[key_index];
+	struct iwm_key *key;
 	struct key_params params;
 
 	IWM_DBG_WEXT(iwm, DBG, "Getting key %d\n", key_index);
 
+	if (key_index >= IWM_NUM_KEYS)
+		return -ENOENT;
+
 	memset(&params, 0, sizeof(params));
 
+	key = &iwm->keys[key_index];
 	params.cipher = key->cipher;
 	params.key_len = key->key_len;
 	params.seq_len = key->seq_len;

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [patch] iwmc3200wifi: add a range check to iwm_cfg80211_get_key()
  2011-10-12  8:10 [patch] iwmc3200wifi: add a range check to iwm_cfg80211_get_key() Dan Carpenter
@ 2011-10-12  8:26 ` Samuel Ortiz
  2011-10-18  6:50   ` [patch] iwmc3200wifi: add some more range checks Dan Carpenter
  0 siblings, 1 reply; 4+ messages in thread
From: Samuel Ortiz @ 2011-10-12  8:26 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Intel Linux Wireless, John W. Linville, linux-wireless,
	kernel-janitors

Hi Dan,

On Wed, Oct 12, 2011 at 11:10:37AM +0300, Dan Carpenter wrote:
> Smatch complains that "key_index" is capped at 5 in nl80211_get_key()
> but iwm->keys[] only has 4 elements.  I don't know if this is really
> needed, but the other ->get_key() implementations seemed to check
> for overflows so I've added a check here.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Samuel Ortiz <sameo@linux.intel.com>

Cheers.
Samuel.

-- 
Intel Open Source Technology Centre
http://oss.intel.com/
---------------------------------------------------------------------
Intel Corporation SAS (French simplified joint stock company)
Registered headquarters: "Les Montalets"- 2, rue de Paris, 
92196 Meudon Cedex, France
Registration Number:  302 456 199 R.C.S. NANTERRE
Capital: 4,572,000 Euros

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [patch] iwmc3200wifi: add some more range checks
  2011-10-12  8:26 ` Samuel Ortiz
@ 2011-10-18  6:50   ` Dan Carpenter
  2011-10-18  8:39     ` Samuel Ortiz
  0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2011-10-18  6:50 UTC (permalink / raw)
  To: Samuel Ortiz
  Cc: Intel Linux Wireless, John W. Linville, linux-wireless,
	kernel-janitors

My previous patch added a check to get_key() but missed a couple
other places which need range checks.

The problem here is that wifi drivers have different numbers of keys.
The lower levels assume that they can have up to 4 default keys and
2 management keys but this driver only has the default keys so we
could go past the end of the ->keys[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/wireless/iwmc3200wifi/cfg80211.c b/drivers/net/wireless/iwmc3200wifi/cfg80211.c
index ed57e44..e20a38d 100644
--- a/drivers/net/wireless/iwmc3200wifi/cfg80211.c
+++ b/drivers/net/wireless/iwmc3200wifi/cfg80211.c
@@ -165,11 +165,15 @@ static int iwm_cfg80211_add_key(struct wiphy *wiphy, struct net_device *ndev,
 				struct key_params *params)
 {
 	struct iwm_priv *iwm = ndev_to_iwm(ndev);
-	struct iwm_key *key = &iwm->keys[key_index];
+	struct iwm_key *key;
 	int ret;
 
 	IWM_DBG_WEXT(iwm, DBG, "Adding key for %pM\n", mac_addr);
 
+	if (key_index >= IWM_NUM_KEYS)
+		return -ENOENT;
+
+	key = &iwm->keys[key_index];
 	memset(key, 0, sizeof(struct iwm_key));
 	ret = iwm_key_init(key, key_index, mac_addr, params);
 	if (ret < 0) {
@@ -210,8 +214,12 @@ static int iwm_cfg80211_del_key(struct wiphy *wiphy, struct net_device *ndev,
 				u8 key_index, bool pairwise, const u8 *mac_addr)
 {
 	struct iwm_priv *iwm = ndev_to_iwm(ndev);
-	struct iwm_key *key = &iwm->keys[key_index];
+	struct iwm_key *key;
 
+	if (key_index >= IWM_NUM_KEYS)
+		return -ENOENT;
+
+	key = &iwm->keys[key_index];
 	if (!iwm->keys[key_index].key_len) {
 		IWM_DBG_WEXT(iwm, DBG, "Key %d not used\n", key_index);
 		return 0;
@@ -232,6 +240,9 @@ static int iwm_cfg80211_set_default_key(struct wiphy *wiphy,
 
 	IWM_DBG_WEXT(iwm, DBG, "Default key index is: %d\n", key_index);
 
+	if (key_index >= IWM_NUM_KEYS)
+		return -ENOENT;
+
 	if (!iwm->keys[key_index].key_len) {
 		IWM_ERR(iwm, "Key %d not used\n", key_index);
 		return -EINVAL;

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [patch] iwmc3200wifi: add some more range checks
  2011-10-18  6:50   ` [patch] iwmc3200wifi: add some more range checks Dan Carpenter
@ 2011-10-18  8:39     ` Samuel Ortiz
  0 siblings, 0 replies; 4+ messages in thread
From: Samuel Ortiz @ 2011-10-18  8:39 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Intel Linux Wireless, John W. Linville, linux-wireless,
	kernel-janitors

Hi Dan,

On Tue, Oct 18, 2011 at 09:50:43AM +0300, Dan Carpenter wrote:
> My previous patch added a check to get_key() but missed a couple
> other places which need range checks.
> 
> The problem here is that wifi drivers have different numbers of keys.
> The lower levels assume that they can have up to 4 default keys and
> 2 management keys but this driver only has the default keys so we
> could go past the end of the ->keys[] array.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Acked-by: Samuel Ortiz <sameo@linux.intel.com>

Cheers,
Samuel.

-- 
Intel Open Source Technology Centre
http://oss.intel.com/
---------------------------------------------------------------------
Intel Corporation SAS (French simplified joint stock company)
Registered headquarters: "Les Montalets"- 2, rue de Paris, 
92196 Meudon Cedex, France
Registration Number:  302 456 199 R.C.S. NANTERRE
Capital: 4,572,000 Euros

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-10-18  8:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-12  8:10 [patch] iwmc3200wifi: add a range check to iwm_cfg80211_get_key() Dan Carpenter
2011-10-12  8:26 ` Samuel Ortiz
2011-10-18  6:50   ` [patch] iwmc3200wifi: add some more range checks Dan Carpenter
2011-10-18  8:39     ` Samuel Ortiz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox