Mon, 16 May 2016 22:42:50 +0300 було написано Don Lewis <truck...@freebsd.org>:

I asked adrian@ privately and he sent me here ...

Coverity is complaining about an array overflow in set80211chanlist().

The code in question is:
                        if (first > IEEE80211_CHAN_MAX)
errx(-1, "channel %u out of range, max %u",
                                        first, IEEE80211_CHAN_MAX);
                        setbit(chanlist.ic_channels, first);

The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
256 and setbit() would still be called.

The ifconfig man page says that channel numbers should be in the range
1 to 255, so I think the correct fix would be to change this test (as
well as others that follow) to >= IEEE80211_CHAN_MAX.

Does that look correct?

Yes, it's correct (however, there is no driver with such big channel table,
so it cannot be reproduced right now).
+ there is an overflow in the next (last > CHAN_MAX) check too.


Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.

It is already used as channel array size and max channel number;
changing it's meaning to [max array index] will require more changes
(one in regdomain_addchans(), more in net80211 and drivers).




_______________________________________________
freebsd-wireless@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
_______________________________________________
freebsd-wireless@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-wireless
To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"

Reply via email to