LinuxLists.cc - re: mac80211: add rate mask logic for vht rates

2015-08-18 19:47:29

Subject: re: mac80211: add rate mask logic for vht rates

Hello Lorenzo Bianconi,

The patch b119ad6e726c: "mac80211: add rate mask logic for vht rates"
from Aug 6, 2015, leads to the following static checker warning:

net/mac80211/cfg.c:2520 ieee80211_set_bitrate_mask()
error: buffer overflow 'sdata->rc_rateidx_vht_mcs_mask[i]' 8 <= 9

net/mac80211/cfg.c
2516 for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
^^^^^^^^^^^^^^^^^^^^^^^^^
This is 10.

2517 if (~sdata->rc_rateidx_mcs_mask[i][j])
2518 sdata->rc_has_mcs_mask[i] = true;
2519
2520 if (~sdata->rc_rateidx_vht_mcs_mask[i][j])
^^^^^^^^^^^^^^^^^^^^^^^^^^
This only has 8 elements.

2521 sdata->rc_has_vht_mcs_mask[i] = true;
2522
2523 if (sdata->rc_has_mcs_mask[i] &&
2524 sdata->rc_has_vht_mcs_mask[i])
2525 break;

Maybe we always break out before we get to the last two iterations?

2526 }

regards,
dan carpenter

2015-08-19 20:16:02

by Lorenzo Bianconi

[permalink] [raw]

Subject: Re: mac80211: add rate mask logic for vht rates

> Hello Lorenzo Bianconi,

Hi Dan,

>
> The patch b119ad6e726c: "mac80211: add rate mask logic for vht rates"
> from Aug 6, 2015, leads to the following static checker warning:
>
> net/mac80211/cfg.c:2520 ieee80211_set_bitrate_mask()
> error: buffer overflow 'sdata->rc_rateidx_vht_mcs_mask[i]' 8 <= 9
>
> net/mac80211/cfg.c
> 2516 for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> This is 10.
>
> 2517 if (~sdata->rc_rateidx_mcs_mask[i][j])
> 2518 sdata->rc_has_mcs_mask[i] = true;
> 2519
> 2520 if (~sdata->rc_rateidx_vht_mcs_mask[i][j])
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> This only has 8 elements.
>
> 2521 sdata->rc_has_vht_mcs_mask[i] = true;
> 2522
> 2523 if (sdata->rc_has_mcs_mask[i] &&
> 2524 sdata->rc_has_vht_mcs_mask[i])
> 2525 break;
>
> Maybe we always break out before we get to the last two iterations?
>

you are right, this chunk is wrong. We have to use to different for
loops to initialize rc_has_vht_mcs_mask array. I will send a patch in
few days. Thanks.

> 2526 }
>
> regards,
> dan carpenter

Best regards,

Lorenzo

--
UNIX is Sexy: who | grep -i blonde | talk; cd ~; wine; talk; touch;
unzip; touch; strip; gasp; finger; gasp; mount; fsck; more; yes; gasp;
umount; make clean; sleep