2016-04-11 07:45:18

by Dan Carpenter

[permalink] [raw]
Subject: [patch] ath10k: add some sanity checks

Smatch complains that since "ev->peer_id" comes from skb->data that
means we can't trust it and have to do a bounds check on it to prevent
an array overflow.

Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup')
Signed-off-by: Dan Carpenter <[email protected]>

diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
index 9369411..fd6ba69 100644
--- a/drivers/net/wireless/ath/ath10k/txrx.c
+++ b/drivers/net/wireless/ath/ath10k/txrx.c
@@ -190,6 +190,9 @@ void ath10k_peer_map_event(struct ath10k_htt *htt,
struct ath10k *ar = htt->ar;
struct ath10k_peer *peer;

+ if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS)
+ return;
+
spin_lock_bh(&ar->data_lock);
peer = ath10k_peer_find(ar, ev->vdev_id, ev->addr);
if (!peer) {
@@ -218,6 +221,9 @@ void ath10k_peer_unmap_event(struct ath10k_htt *htt,
struct ath10k *ar = htt->ar;
struct ath10k_peer *peer;

+ if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS)
+ return;
+
spin_lock_bh(&ar->data_lock);
peer = ath10k_peer_find_by_id(ar, ev->peer_id);
if (!peer) {


2016-04-11 08:16:04

by Dan Carpenter

[permalink] [raw]
Subject: [patch v2] ath10k: add some sanity checks

Smatch complains that since "ev->peer_id" comes from skb->data that
means we can't trust it and have to do a bounds check on it to prevent
an array overflow.

Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup')
Signed-off-by: Dan Carpenter <[email protected]>
---
v2: Add a warning message. There is a checkpatch.pl warning that
the alignment should match the open parenthesis but I ignored it because
we're going off the end of the 80 character limit and this way is fine.

diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
index 9369411..0885fce 100644
--- a/drivers/net/wireless/ath/ath10k/txrx.c
+++ b/drivers/net/wireless/ath/ath10k/txrx.c
@@ -190,6 +190,13 @@ void ath10k_peer_map_event(struct ath10k_htt *htt,
struct ath10k *ar = htt->ar;
struct ath10k_peer *peer;

+ if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS) {
+ ath10k_warn(ar,
+ "received htt peer map event with idx out of bounds: %hu\n",
+ ev->peer_id);
+ return;
+ }
+
spin_lock_bh(&ar->data_lock);
peer = ath10k_peer_find(ar, ev->vdev_id, ev->addr);
if (!peer) {
@@ -218,6 +225,13 @@ void ath10k_peer_unmap_event(struct ath10k_htt *htt,
struct ath10k *ar = htt->ar;
struct ath10k_peer *peer;

+ if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS) {
+ ath10k_warn(ar,
+ "received htt peer unmap event with idx out of bounds: %hu\n",
+ ev->peer_id);
+ return;
+ }
+
spin_lock_bh(&ar->data_lock);
peer = ath10k_peer_find_by_id(ar, ev->peer_id);
if (!peer) {

2016-04-19 15:47:56

by Kalle Valo

[permalink] [raw]
Subject: Re: [patch v2] ath10k: add some sanity checks

Dan Carpenter <[email protected]> writes:

> Smatch complains that since "ev->peer_id" comes from skb->data that
> means we can't trust it and have to do a bounds check on it to prevent
> an array overflow.
>
> Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup')
> Signed-off-by: Dan Carpenter <[email protected]>

Applied, thanks.

--
Kalle Valo

2016-04-11 07:52:36

by Michal Kazior

[permalink] [raw]
Subject: Re: [patch] ath10k: add some sanity checks

On 11 April 2016 at 09:44, Dan Carpenter <[email protected]> wrote:
> Smatch complains that since "ev->peer_id" comes from skb->data that
> means we can't trust it and have to do a bounds check on it to prevent
> an array overflow.
>
> Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup')
> Signed-off-by: Dan Carpenter <[email protected]>
>
> diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c
> index 9369411..fd6ba69 100644
> --- a/drivers/net/wireless/ath/ath10k/txrx.c
> +++ b/drivers/net/wireless/ath/ath10k/txrx.c
> @@ -190,6 +190,9 @@ void ath10k_peer_map_event(struct ath10k_htt *htt,
> struct ath10k *ar = htt->ar;
> struct ath10k_peer *peer;
>
> + if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS)
> + return;
> +

This will lead to a timeout in the other part of the code so printing
a warning here will make it easier to understand the failure, e.g.

ath10k_warn(ar, "received htt peer map event with idx out of bounds:
%hu\n", ev->peer_id);


> spin_lock_bh(&ar->data_lock);
> peer = ath10k_peer_find(ar, ev->vdev_id, ev->addr);
> if (!peer) {
> @@ -218,6 +221,9 @@ void ath10k_peer_unmap_event(struct ath10k_htt *htt,
> struct ath10k *ar = htt->ar;
> struct ath10k_peer *peer;
>
> + if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS)
> + return;

Ditto but s/map/unmap.

Anyway, good catch, thanks!


MichaƂ

2016-04-14 14:43:08

by Kalle Valo

[permalink] [raw]
Subject: Re: [patch v2] ath10k: add some sanity checks

Dan Carpenter <[email protected]> writes:

> Smatch complains that since "ev->peer_id" comes from skb->data that
> means we can't trust it and have to do a bounds check on it to prevent
> an array overflow.
>
> Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup')
> Signed-off-by: Dan Carpenter <[email protected]>

In ath.git pending branch I modified the title to be a bit more unique:

ath10k: add some sanity checks to peer_map_event() functions

> ---
> v2: Add a warning message. There is a checkpatch.pl warning that
> the alignment should match the open parenthesis but I ignored it because
> we're going off the end of the 80 character limit and this way is fine.

In ath10k we have used 90 char limit so I fixed this in the pending
branch. And actually I don't think checkpatch complains about the
message format string length of a logging function like ath10k_warn().

--
Kalle Valo