Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753459AbbHNEcF (ORCPT ); Fri, 14 Aug 2015 00:32:05 -0400 Received: from mga01.intel.com ([192.55.52.88]:29340 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751660AbbHNEcD convert rfc822-to-8bit (ORCPT ); Fri, 14 Aug 2015 00:32:03 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.15,675,1432623600"; d="scan'208";a="625277642" From: "Grumbach, Emmanuel" To: Adrien Schildknecht , "Berg, Johannes" CC: "ilw@linux.intel.com" , "kvalo@codeaurora.org" , "linux-wireless@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels Thread-Topic: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels Thread-Index: AQHQ1ik67WGO1FFz2USCl890nF7Hqg== Date: Fri, 14 Aug 2015 04:31:55 +0000 Message-ID: <0BA3FCBA62E2DC44AF3030971E174FB32E7EA2CE@hasmsx107.ger.corp.intel.com> References: <1439512532-7901-1-git-send-email-adrien+dev@schischi.me> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.255.203.31] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1588 Lines: 44 Hi, On 08/14/2015 03:36 AM, Adrien Schildknecht wrote: > Both loops of this function compare data from the 'chan' array and then > check if the index is valid. > > The 2 conditions should be inverted to avoid an out-of-bounds access. > Was that found by a static analyzer or any other automated tool, or was that the result of your very careful review? > Signed-off-by: Adrien Schildknecht > --- > drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > index 21302b6..acc3d18 100644 > --- a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > +++ b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > @@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data, > struct ieee80211_channel *chan = &data->channels[0]; > int n = 0, idx = 0; > > - while (chan->band != band && idx < n_channels) > + while (idx < n_channels && chan->band != band) > chan = &data->channels[++idx]; > > sband->channels = &data->channels[idx]; > > - while (chan->band == band && idx < n_channels) { > + while (idx < n_channels && chan->band == band) { > chan = &data->channels[++idx]; > n++; > } > Looks fine - I'll pick it up. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/