Received: by 10.192.165.148 with SMTP id m20csp3852415imm; Mon, 30 Apr 2018 07:29:59 -0700 (PDT) X-Google-Smtp-Source: AB8JxZougT81SA2z1wLnvZjZr7StmqC/cQycGRVphioQQNdHjZlRiP65T7SecvaDigSnRv4ayMtv X-Received: by 2002:a65:5244:: with SMTP id q4-v6mr10147061pgp.201.1525098599282; Mon, 30 Apr 2018 07:29:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525098599; cv=none; d=google.com; s=arc-20160816; b=aEwujRVCxrVeKarFqCb/TuGDhWeQ59X0X8jXjYtKgQW/pHSPveb9C58YTlpAovuYSs JV9y/4sNxFE6DhqJi6H03ddbe0/RDGraer4kvjBWEXspck137tYclxxEILFKpJ1T3Uwa vxqyTIEgbp8N5p3NYlqwlL6Io+e2C80kXdF2niqDlU4Z96RLNCaV+FgTzq6MykOShPXO H9BEzgQx+YBW2p/2SHVwqSeAgBkLgXua7zqw2k3B1bt8cpJrYljsaJsFp4m9oD+6/xaM 7QpQD9IMtJLzp5RWZdMaaaA5rl1qLTKoUxXG6VJ5NjHEOpnRNuiwGOUi5imKq3EZAggb ScPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=kPhMzkW91+ldwJv1vrnJygqXEZyrfw33/l1pKKF2xac=; b=avN3gDGaSjhtIzG9Kn18u9tsmPNjk5XxqQ7+1s6fyVBDWcnwDxCL8G4F/RinQ1T00c n3PxK7jwB/WZGKvqr91O6pQTlh0HA8bttKbHTXKYdRkIOiIDAXqpWXUt/cvSn/TRLkZS TS86XoyKJlZL59szKN9NpFNe9TCj4qB3UtX9EQmn8Ip3R7K4/Q1aXOe5PdJGXcrc2/gF 8xovYSnx0d++YyEpprLTATHDatmFkvmq8+oXxwXWuU9RpF4GZIA5VhgZb1qPVRS0v480 tzaiPMWEU3Y4skUsQxePutUaufK8BhlHWz7SqmLrVIJEPt2Rpsx7guH48tkram5yYO8z y52A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si7791534pfg.298.2018.04.30.07.29.45; Mon, 30 Apr 2018 07:29:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754138AbeD3O3b (ORCPT + 99 others); Mon, 30 Apr 2018 10:29:31 -0400 Received: from esa1.microchip.iphmx.com ([68.232.147.91]:12542 "EHLO esa1.microchip.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753592AbeD3O33 (ORCPT ); Mon, 30 Apr 2018 10:29:29 -0400 X-IronPort-AV: E=Sophos;i="5.49,346,1520924400"; d="scan'208";a="14353717" Received: from smtpout.microchip.com (HELO email.microchip.com) ([198.175.253.82]) by esa1.microchip.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 30 Apr 2018 07:29:28 -0700 Received: from ajaysk-VirtualBox (10.10.76.4) by chn-sv-exch04.mchp-main.com (10.10.76.105) with Microsoft SMTP Server id 14.3.352.0; Mon, 30 Apr 2018 07:29:28 -0700 Date: Mon, 30 Apr 2018 19:59:16 +0530 From: Ajay Singh To: "Gustavo A. R. Silva" CC: Ganesh Krishna , Greg Kroah-Hartman , , , , Subject: Re: [PATCH] staging: wilc1000: fix infinite loop and out-of-bounds access Message-ID: <20180430195916.596a93eb@ajaysk-VirtualBox> In-Reply-To: <20180430125040.GA19050@embeddedor.com> References: <20180430125040.GA19050@embeddedor.com> Organization: Microchip Technology MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reviewed-by: Ajay Singh On Mon, 30 Apr 2018 07:50:40 -0500 "Gustavo A. R. Silva" wrote: > If i < slot_id is initially true then it will remain true. Also, > as i is being decremented it will end up accessing memory out of > bounds. > > Fix this by incrementing *i* instead of decrementing it. Nice catch! Thanks for submitting the changes. > > Addresses-Coverity-ID: 1468454 ("Infinite loop") > Fixes: faa657641081 ("staging: wilc1000: refactor scan() to free > kmalloc memory on failure cases") > Signed-off-by: Gustavo A. R. Silva > --- > > BTW... at first sight it seems to me that variables slot_id > and i should be of type unsigned instead of signed. Yes, 'slot_id' & 'i' can be changed to unsigned int. > > drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c > b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c index > 3ca0c97..67104e8 100644 --- > a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c +++ > b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c @@ -608,7 > +608,7 @@ wilc_wfi_cfg_alloc_fill_ssid(struct cfg80211_scan_request > *request, out_free: > > - for (i = 0; i < slot_id ; i--) > + for (i = 0; i < slot_id; i++) > kfree(ntwk->net_info[i].ssid); > > kfree(ntwk->net_info); Regards, Ajay