[PATCH 2.6.31] ar9170: fix read & write outside array bounds

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 2.6.31] ar9170: fix read & write outside array bounds
@ 2009-08-09 12:24 Christian Lamparter
  2009-08-10 17:57 ` John W. Linville
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Lamparter @ 2009-08-09 12:24 UTC (permalink / raw)
  To: wireless, Dan Carpenter; +Cc: John W. Linville

From: Dan Carpenter <error27@gmail.com>

queue == __AR9170_NUM_TXQ would cause a bug on the next line.

found by Smatch ( http://repo.or.cz/w/smatch.git ).

Cc: stable@kernel.org
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
---
diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
index 4fc389a..ea8c941 100644
--- a/drivers/net/wireless/ath/ar9170/main.c
+++ b/drivers/net/wireless/ath/ar9170/main.c
@@ -2458,13 +2458,14 @@ static int ar9170_conf_tx(struct ieee80211_hw *hw, u16 queue,
 	int ret;
 
 	mutex_lock(&ar->mutex);
-	if ((param) && !(queue > __AR9170_NUM_TXQ)) {
+	if (queue < __AR9170_NUM_TXQ) {
 		memcpy(&ar->edcf[ar9170_qos_hwmap[queue]],
 		       param, sizeof(*param));
 
 		ret = ar9170_set_qos(ar);
-	} else
+	} else {
 		ret = -EINVAL;
+	}
 
 	mutex_unlock(&ar->mutex);
 	return ret;

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH 2.6.31] ar9170: fix read & write outside array bounds
  2009-08-09 12:24 [PATCH 2.6.31] ar9170: fix read & write outside array bounds Christian Lamparter
@ 2009-08-10 17:57 ` John W. Linville
  0 siblings, 0 replies; 3+ messages in thread
From: John W. Linville @ 2009-08-10 17:57 UTC (permalink / raw)
  To: Christian Lamparter; +Cc: wireless, Dan Carpenter

On Sun, Aug 09, 2009 at 02:24:09PM +0200, Christian Lamparter wrote:
> From: Dan Carpenter <error27@gmail.com>
> 
> queue == __AR9170_NUM_TXQ would cause a bug on the next line.
> 
> found by Smatch ( http://repo.or.cz/w/smatch.git ).
> 
> Cc: stable@kernel.org
> Reported-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
> Signed-off-by: Christian Lamparter <chunkeey@web.de>
> ---
> diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
> index 4fc389a..ea8c941 100644
> --- a/drivers/net/wireless/ath/ar9170/main.c
> +++ b/drivers/net/wireless/ath/ar9170/main.c
> @@ -2458,13 +2458,14 @@ static int ar9170_conf_tx(struct ieee80211_hw *hw, u16 queue,
>  	int ret;
>  
>  	mutex_lock(&ar->mutex);
> -	if ((param) && !(queue > __AR9170_NUM_TXQ)) {
> +	if (queue < __AR9170_NUM_TXQ) {
>  		memcpy(&ar->edcf[ar9170_qos_hwmap[queue]],
>  		       param, sizeof(*param));
>  
>  		ret = ar9170_set_qos(ar);
> -	} else
> +	} else {
>  		ret = -EINVAL;
> +	}
>  
>  	mutex_unlock(&ar->mutex);
>  	return ret;

The p54 version of this patch used hw->queues instead of a constant.
Wouldn't that be better here?

John
-- 
John W. Linville		Someday the world will need a hero, and you
linville@tuxdriver.com			might be all we have.  Be ready.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH 2.6.31] ar9170: fix read & write outside array bounds
@ 2009-08-10 18:56 Chunkeey
  0 siblings, 0 replies; 3+ messages in thread
From: Chunkeey @ 2009-08-10 18:56 UTC (permalink / raw)
  To: John W. Linville; +Cc: Dan Carpenter, wireless

"John W. Linville" <linville@tuxdriver.com> wrote:
> On Sun, Aug 09, 2009 at 02:24:09PM +0200, Christian Lamparter wrote:
> > From: Dan Carpenter <error27@gmail.com>
> > 
> > queue == __AR9170_NUM_TXQ would cause a bug on the next line.
> > 
> > found by Smatch ( http://repo.or.cz/w/smatch.git ).
> > 
> > Cc: stable@kernel.org
> > Reported-by: Dan Carpenter <error27@gmail.com>
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
> > Signed-off-by: Christian Lamparter <chunkeey@web.de>
> > ---
> > diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
> > index 4fc389a..ea8c941 100644
> > --- a/drivers/net/wireless/ath/ar9170/main.c
> > +++ b/drivers/net/wireless/ath/ar9170/main.c
> > @@ -2458,13 +2458,14 @@ static int ar9170_conf_tx(struct ieee80211_hw *hw, u16 queue,
> >  	int ret;
> >  
> >  	mutex_lock(&ar->mutex);
> > -	if ((param) && !(queue > __AR9170_NUM_TXQ)) {
> > +	if (queue < __AR9170_NUM_TXQ) {
> >  		memcpy(&ar->edcf[ar9170_qos_hwmap[queue]],
> >  		       param, sizeof(*param));
> >  
> >  		ret = ar9170_set_qos(ar);
> > -	} else
> > +	} else {
> >  		ret = -EINVAL;
> > +	}
> >  
> >  	mutex_unlock(&ar->mutex);
> >  	return ret;
> 
> The p54 version of this patch used hw->queues instead of a constant.
> Wouldn't that be better here?
Depends...

Other drivers like ath9k/iwlwifi use a constant _check_ as well.
Having constants is always a plus for AOT compilers.

The reason why p54 does this differently and uses a variable
here, is simply because  the number of queues depends on
the firmware revision. Users - with the old, original windows
driver firmwares - have experienced serve stability problems
with QoS enabled.

Regards,
       Chr

________________________________________________________________
Neu: WEB.DE Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://produkte.web.de/go/02/


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-08-10 18:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-09 12:24 [PATCH 2.6.31] ar9170: fix read & write outside array bounds Christian Lamparter
2009-08-10 17:57 ` John W. Linville
  -- strict thread matches above, loose matches on Subject: below --
2009-08-10 18:56 Chunkeey

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).