From: Hauke Mehrtens <hauke@hauke-m.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Arend van Spriel <arend@broadcom.com>, linux-wireless@vger.kernel.org
Subject: Re: brcmsmac: use sprom from bcma
Date: Fri, 18 May 2012 21:12:37 +0200 [thread overview]
Message-ID: <4FB69F25.3040707@hauke-m.de> (raw)
In-Reply-To: <20120517191339.GA17018@elgon.mountain>
On 05/17/2012 09:13 PM, Dan Carpenter wrote:
> Hello Hauke, Arend,
>
> The patch 898d3c3b2462: "brcmsmac: use sprom from bcma" from Apr 29,
> 2012, leads to the following warning:
> drivers/net/wireless/brcm80211/brcmsmac/channel.c:645
> brcms_c_country_valid()
> error: buffer overflow 'ccode' 2 <= 2
>
> - if (ccode && brcms_c_country_valid(ccode))
> - strncpy(wlc->pub->srom_ccode, ccode, BRCM_CNTRY_BUF_SZ - 1);
> + if (sprom->alpha2 && brcms_c_country_valid(sprom->alpha2))
> ^^^^^^^^^^^^^
> This is a two character array. It's not NULL terminated.
>
> + strncpy(wlc->pub->srom_ccode, sprom->alpha2, sizeof(sprom->alpha2));
>
> But in brcms_c_country_valid() we check for the NULL terminator.
>
> 637 static bool brcms_c_country_valid(const char *ccode)
> 638 {
> 639 /*
> 640 * only allow ascii alpha uppercase for the first 2
> 641 * chars.
> 642 */
> 643 if (!((0x80 & ccode[0]) == 0 && ccode[0] >= 0x41 && ccode[0] <= 0x5A &&
> 644 (0x80 & ccode[1]) == 0 && ccode[1] >= 0x41 && ccode[1] <= 0x5A &&
> 645 ccode[2] == '\0'))
> ^^^^^^^^^^^^^^^^
> Here.
>
> 646 return false;
>
> My guess is that this works because -> leddc_on_time is mostly zero.
>
> regards,
> dan carpenter
>
Hi Dan,
your guess is probably right, but I do not know want is the best
solution to fix this. I set this to 2 byte as there are just two bytes
memory for this in the sprom. In the nvram of some SoC I also found a 3
letter code ccode=US2 and an other wrong two letter code ccode=Q2. What
is the way we should handle this?
1. just read the first 2 bytes and ignore the rest -> change
brcms_c_country_valid() and some SoC parsing code.
2. read the first 2 bytes and reject longer codes as completely invalid
(probably just found in nvram on SoCs) -> change brcms_c_country_valid()
3. read 4 (or more) bytes and let brcmsmac decide what is a valid code
-> change sprom struct and some more code
I would vote for number 2.
@Arend by the way how should the code EU or 0 be handled? It is used on
all my recent SoCs.
Hauke
next prev parent reply other threads:[~2012-05-18 19:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-17 19:13 brcmsmac: use sprom from bcma Dan Carpenter
2012-05-18 19:12 ` Hauke Mehrtens [this message]
2012-05-19 8:46 ` Arend van Spriel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FB69F25.3040707@hauke-m.de \
--to=hauke@hauke-m.de \
--cc=arend@broadcom.com \
--cc=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).