Mon, 16 May 2016 22:42:50 +0300 було написано Don Lewis
<[email protected]>:
I asked adrian@ privately and he sent me here ...
Coverity is complaining about an array overflow in set80211chanlist().
The code in question is:
if (first > IEEE80211_CHAN_MAX)
errx(-1, "channel %u out of range, max
%u",
first, IEEE80211_CHAN_MAX);
setbit(chanlist.ic_channels, first);
The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
256 and setbit() would still be called.
The ifconfig man page says that channel numbers should be in the range
1 to 255, so I think the correct fix would be to change this test (as
well as others that follow) to >= IEEE80211_CHAN_MAX.
Does that look correct?
Yes, it's correct (however, there is no driver with such big channel table,
so it cannot be reproduced right now).
+ there is an overflow in the next (last > CHAN_MAX) check too.
Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.
It is already used as channel array size and max channel number;
changing it's meaning to [max array index] will require more changes
(one in regdomain_addchans(), more in net80211 and drivers).
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to
"[email protected]"
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to "[email protected]"
