2010-08-11 20:34:23

by Denis Kirjanov

[permalink] [raw]
Subject: [PATCH] orinoco: Fix walking past the end of the buffer

Fix walking past the end of the bitrate_table array
in the case when the loop counter == BITRATE_TABLE_SIZE.
Mark bitrate as invalid in this case for the orinoco_ioctl_setrate()

Signed-off-by: Denis Kirjanov <[email protected]>
---

diff --git a/drivers/net/wireless/orinoco/hw.c b/drivers/net/wireless/orinoco/hw.c
index 077baa8..191bc03 100644
--- a/drivers/net/wireless/orinoco/hw.c
+++ b/drivers/net/wireless/orinoco/hw.c
@@ -765,9 +765,12 @@ int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
if (bitrate_table[i].intersil_txratectrl == val)
break;

- if (i >= BITRATE_TABLE_SIZE)
+ if (i >= BITRATE_TABLE_SIZE) {
printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
priv->ndev->name, val);
+ *bitrate = 100001; /* Mark as invalid */
+ break;
+ }

*bitrate = bitrate_table[i].bitrate * 100000;
break;


2010-08-14 09:45:40

by Dave Kilroy

[permalink] [raw]
Subject: Re: [PATCH] orinoco: Fix walking past the end of the buffer

On Wed, Aug 11, 2010 at 9:32 PM, Denis Kirjanov <[email protected]> wrote:
> diff --git a/drivers/net/wireless/orinoco/hw.c b/drivers/net/wireless/orinoco/hw.c
> index 077baa8..191bc03 100644
> --- a/drivers/net/wireless/orinoco/hw.c
> +++ b/drivers/net/wireless/orinoco/hw.c
> @@ -765,9 +765,12 @@ int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
> ? ? ? ? ? ? ? ? ? ? ? ?if (bitrate_table[i].intersil_txratectrl == val)
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?break;
>
> - ? ? ? ? ? ? ? if (i >= BITRATE_TABLE_SIZE)
> + ? ? ? ? ? ? ? if (i >= BITRATE_TABLE_SIZE) {
> ? ? ? ? ? ? ? ? ? ? ? ?printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? priv->ndev->name, val);
> + ? ? ? ? ? ? ? ? ? ? ? *bitrate = 100001; /* Mark as invalid */

We should propogate the failure by returning an error in the return
code rather than a cryptic bitrate value. The calling function(s)
should then propogate the error through wext/cfg80211 as appropriate.

> + ? ? ? ? ? ? ? ? ? ? ? break;
> + ? ? ? ? ? ? ? }
>
> ? ? ? ? ? ? ? ?*bitrate = bitrate_table[i].bitrate * 100000;
> ? ? ? ? ? ? ? ?break;

We can also make the structure easier to understand by setting the
bitrate within the for loop. Something like the following (I only have
access to gmail ATM, so can't format a proper patch):

for (i = 0; i < BITRATE_TABLE_SIZE; i++)
if (bitrate_table[i].intersil_txratectrl == val) {
*bitrate = bitrate_table[i].bitrate * 100000;
break;
}

if (i >= BITRATE_TABLE_SIZE) {
printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
priv->ndev->name, val);
err = -EIO; /* maybe chose a better value... */
}

break;

Could you update the patch along those lines please?

Thanks,

Dave.