Re: minor array overflow in ifconfig set80211chanlist()
Ok, let's break out the chan array from the ieee chan value (8 bit). We need that done for 11ac. -adrian ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
Re: minor array overflow in ifconfig set80211chanlist()
Tue, 17 May 2016 01:05:57 +0300 було написано Andriy Voskoboinyk: Tue, 17 May 2016 01:03:03 +0300 було написано Adrian Chadd : Heh, god, it's used for both maximum ieee channel number /and/ the array size? we should eventually fix that; 11ac channels will likely overflow all of the above. :( No (yes) :) I mean ic->ic_nchans and nitems(ic->ic_channels) ... but you are right: ic_ieee is uint8_t, so it's limited by this number too. ... but there is another macro with the same value: ieee80211_scan_sta.c: #define MAX_IEEE_CHAN 256 /* max acceptable IEEE chan # */ CTASSERT(MAX_IEEE_CHAN >= 256); -a ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org" ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org" ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
Re: minor array overflow in ifconfig set80211chanlist()
Tue, 17 May 2016 01:03:03 +0300 було написано Adrian Chadd: Heh, god, it's used for both maximum ieee channel number /and/ the array size? we should eventually fix that; 11ac channels will likely overflow all of the above. :( No (yes) :) I mean ic->ic_nchans and nitems(ic->ic_channels) ... but you are right: ic_ieee is uint8_t, so it's limited by this number too. -a ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org" ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
Re: minor array overflow in ifconfig set80211chanlist()
On 16 May 2016 at 15:05, Andriy Voskoboinykwrote: > Tue, 17 May 2016 01:03:03 +0300 було написано Adrian Chadd > : > >> Heh, god, it's used for both maximum ieee channel number /and/ the >> array size? we should eventually fix that; 11ac channels will likely >> overflow all of the above. :( > > > No (yes) :) > I mean ic->ic_nchans and nitems(ic->ic_channels) > ... but you are right: ic_ieee is uint8_t, so it's limited by this number > too. Right. Well, for 11ac they still have the IEEE number, but they also have separate frequency definitions in the IEs for upper/lower 80MHz and the configuration therein. -adrian ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
Re: minor array overflow in ifconfig set80211chanlist()
Heh, god, it's used for both maximum ieee channel number /and/ the array size? we should eventually fix that; 11ac channels will likely overflow all of the above. :( -a ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"
Re: minor array overflow in ifconfig set80211chanlist()
Mon, 16 May 2016 22:42:50 +0300 було написано Don Lewis: I asked adrian@ privately and he sent me here ... Coverity is complaining about an array overflow in set80211chanlist(). The code in question is: if (first > IEEE80211_CHAN_MAX) errx(-1, "channel %u out of range, max %u", first, IEEE80211_CHAN_MAX); setbit(chanlist.ic_channels, first); The value of IEEE80211_CHAN_MAX is 256, so first could be as large as 256 and setbit() would still be called. The ifconfig man page says that channel numbers should be in the range 1 to 255, so I think the correct fix would be to change this test (as well as others that follow) to >= IEEE80211_CHAN_MAX. Does that look correct? Yes, it's correct (however, there is no driver with such big channel table, so it cannot be reproduced right now). + there is an overflow in the next (last > CHAN_MAX) check too. Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255. It is already used as channel array size and max channel number; changing it's meaning to [max array index] will require more changes (one in regdomain_addchans(), more in net80211 and drivers). ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org" ___ freebsd-wireless@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-wireless To unsubscribe, send any mail to "freebsd-wireless-unsubscr...@freebsd.org"