2009-07-28 07:57:03

by Roel Kluin

[permalink] [raw]
Subject: [PATCH] libertas: Read outside array bounds

reads bss->rates[j] before checking bounds of index, and should use
ARRAY_SIZE to determine the size of the array.

Signed-off-by: Roel Kluin <[email protected]>
---
diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c
index 601b542..6c95af3 100644
--- a/drivers/net/wireless/libertas/scan.c
+++ b/drivers/net/wireless/libertas/scan.c
@@ -5,6 +5,7 @@
* for sending scan commands to the firmware.
*/
#include <linux/types.h>
+#include <linux/kernel.h>
#include <linux/etherdevice.h>
#include <linux/if_arp.h>
#include <asm/unaligned.h>
@@ -876,7 +877,7 @@ static inline char *lbs_translate_scan(struct lbs_private *priv,
iwe.u.bitrate.disabled = 0;
iwe.u.bitrate.value = 0;

- for (j = 0; bss->rates[j] && (j < sizeof(bss->rates)); j++) {
+ for (j = 0; j < ARRAY_SIZE(bss->rates) && bss->rates[j]; j++) {
/* Bit rate given in 500 kb/s units */
iwe.u.bitrate.value = bss->rates[j] * 500000;
current_val = iwe_stream_add_value(info, start, current_val,


2009-07-28 08:12:05

by Holger Schurig

[permalink] [raw]
Subject: Re: [PATCH] libertas: Read outside array bounds

Acked-by: Holger Schurig <[email protected]>

--
http://www.holgerschurig.de

2009-07-28 20:22:16

by Dan Williams

[permalink] [raw]
Subject: Re: [PATCH] libertas: Read outside array bounds

On Tue, 2009-07-28 at 09:59 +0200, Roel Kluin wrote:
> reads bss->rates[j] before checking bounds of index, and should use
> ARRAY_SIZE to determine the size of the array.
>
> Signed-off-by: Roel Kluin <[email protected]>

Acked-by: Dan Williams <[email protected]>

> ---
> diff --git a/drivers/net/wireless/libertas/scan.c b/drivers/net/wireless/libertas/scan.c
> index 601b542..6c95af3 100644
> --- a/drivers/net/wireless/libertas/scan.c
> +++ b/drivers/net/wireless/libertas/scan.c
> @@ -5,6 +5,7 @@
> * for sending scan commands to the firmware.
> */
> #include <linux/types.h>
> +#include <linux/kernel.h>
> #include <linux/etherdevice.h>
> #include <linux/if_arp.h>
> #include <asm/unaligned.h>
> @@ -876,7 +877,7 @@ static inline char *lbs_translate_scan(struct lbs_private *priv,
> iwe.u.bitrate.disabled = 0;
> iwe.u.bitrate.value = 0;
>
> - for (j = 0; bss->rates[j] && (j < sizeof(bss->rates)); j++) {
> + for (j = 0; j < ARRAY_SIZE(bss->rates) && bss->rates[j]; j++) {
> /* Bit rate given in 500 kb/s units */
> iwe.u.bitrate.value = bss->rates[j] * 500000;
> current_val = iwe_stream_add_value(info, start, current_val,