[kbuild] [next:master 3674/6788] net/wireless/util.c:1297 cfg80211_iter_combinations() error: buffer overflow 'iftype_num' 11 <= 11

Fri, 14 Nov 2014 15:40:35 -0800 

TO: Rostislav Lisovy <[email protected]>
CC: Johannes Berg <[email protected]>

tree:   git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
head:   d7e5a72b951a4ef6d97b2aa43cad37f237ba8030
commit: 6e0bd6c35b021dc73a81ebd1ef79761233c48b50 [3674/6788] cfg80211: 802.11p 
OCB mode handling
:::::: branch date: 15 hours ago
:::::: commit date: 10 days ago

net/wireless/util.c:1297 cfg80211_iter_combinations() error: buffer overflow 
'iftype_num' 11 <= 11
net/wireless/util.c:1298 cfg80211_iter_combinations() error: buffer overflow 
'iftype_num' 11 <= 11
net/wireless/util.c:1327 cfg80211_iter_combinations() error: buffer overflow 
'iftype_num' 11 <= 11
net/wireless/util.c:1329 cfg80211_iter_combinations() error: buffer overflow 
'iftype_num' 11 <= 11

git remote add next 
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
git remote update next
git checkout 6e0bd6c35b021dc73a81ebd1ef79761233c48b50
vim +/iftype_num +1297 net/wireless/util.c

8c48b50a Felix Fietkau  2014-05-05  1291                if (regdom)
8c48b50a Felix Fietkau  2014-05-05  1292                        region = 
regdom->dfs_region;
8c48b50a Felix Fietkau  2014-05-05  1293                rcu_read_unlock();
8c48b50a Felix Fietkau  2014-05-05  1294        }
8c48b50a Felix Fietkau  2014-05-05  1295  
cb2d956d Luciano Coelho 2014-02-17  1296        for (iftype = 0; iftype < 
NUM_NL80211_IFTYPES; iftype++) {
cb2d956d Luciano Coelho 2014-02-17 @1297                num_interfaces += 
iftype_num[iftype];
cb2d956d Luciano Coelho 2014-02-17 @1298                if (iftype_num[iftype] 
> 0 &&
cb2d956d Luciano Coelho 2014-02-17  1299                    
!(wiphy->software_iftypes & BIT(iftype)))
cb2d956d Luciano Coelho 2014-02-17  1300                        used_iftypes |= 
BIT(iftype);
cb2d956d Luciano Coelho 2014-02-17  1301        }
cb2d956d Luciano Coelho 2014-02-17  1302  
cb2d956d Luciano Coelho 2014-02-17  1303        for (i = 0; i < 
wiphy->n_iface_combinations; i++) {
cb2d956d Luciano Coelho 2014-02-17  1304                const struct 
ieee80211_iface_combination *c;
cb2d956d Luciano Coelho 2014-02-17  1305                struct 
ieee80211_iface_limit *limits;
cb2d956d Luciano Coelho 2014-02-17  1306                u32 all_iftypes = 0;
cb2d956d Luciano Coelho 2014-02-17  1307  
cb2d956d Luciano Coelho 2014-02-17  1308                c = 
&wiphy->iface_combinations[i];
cb2d956d Luciano Coelho 2014-02-17  1309  
cb2d956d Luciano Coelho 2014-02-17  1310                if (num_interfaces > 
c->max_interfaces)
cb2d956d Luciano Coelho 2014-02-17  1311                        continue;
cb2d956d Luciano Coelho 2014-02-17  1312                if 
(num_different_channels > c->num_different_channels)
cb2d956d Luciano Coelho 2014-02-17  1313                        continue;
cb2d956d Luciano Coelho 2014-02-17  1314  
cb2d956d Luciano Coelho 2014-02-17  1315                limits = 
kmemdup(c->limits, sizeof(limits[0]) * c->n_limits,
cb2d956d Luciano Coelho 2014-02-17  1316                                 
GFP_KERNEL);
cb2d956d Luciano Coelho 2014-02-17  1317                if (!limits)
cb2d956d Luciano Coelho 2014-02-17  1318                        return -ENOMEM;
cb2d956d Luciano Coelho 2014-02-17  1319  
cb2d956d Luciano Coelho 2014-02-17  1320                for (iftype = 0; iftype 
< NUM_NL80211_IFTYPES; iftype++) {
cb2d956d Luciano Coelho 2014-02-17  1321                        if 
(wiphy->software_iftypes & BIT(iftype))
cb2d956d Luciano Coelho 2014-02-17  1322                                
continue;
cb2d956d Luciano Coelho 2014-02-17  1323                        for (j = 0; j < 
c->n_limits; j++) {
cb2d956d Luciano Coelho 2014-02-17  1324                                
all_iftypes |= limits[j].types;
cb2d956d Luciano Coelho 2014-02-17  1325                                if 
(!(limits[j].types & BIT(iftype)))
cb2d956d Luciano Coelho 2014-02-17  1326                                        
continue;
cb2d956d Luciano Coelho 2014-02-17 @1327                                if 
(limits[j].max < iftype_num[iftype])
cb2d956d Luciano Coelho 2014-02-17  1328                                        
goto cont;
cb2d956d Luciano Coelho 2014-02-17 @1329                                
limits[j].max -= iftype_num[iftype];
cb2d956d Luciano Coelho 2014-02-17  1330                        }
cb2d956d Luciano Coelho 2014-02-17  1331                }
cb2d956d Luciano Coelho 2014-02-17  1332  

:::::: The code at line 1297 was first introduced by commit
:::::: cb2d956dd329caa11b5ece454dc52253aa038e73 cfg80211: refactor 
cfg80211_can_use_iftype_chan()

:::::: TO: Luciano Coelho <[email protected]>
:::::: CC: Johannes Berg <[email protected]>

---
0-DAY kernel test infrastructure                Open Source Technology Center
http://lists.01.org/mailman/listinfo/kbuild                 Intel Corporation
_______________________________________________
kbuild mailing list
[email protected]
https://lists.01.org/mailman/listinfo/kbuild

Reply via email to