LinuxLists.cc - [PATCH] mac80211: fix VHT MCS mask array overrun

2015-08-21 12:08:46

Subject: [PATCH] mac80211: fix VHT MCS mask array overrun

From: Johannes Berg <[email protected]>

The HT MCS mask has 9 bytes, the VHT one only has 8 streams.
Split the loops to handle this correctly.

Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
---
net/mac80211/cfg.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 685ec13ed7c2..f4ed256c2d8e 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2514,15 +2514,17 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
continue;

for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
- if (~sdata->rc_rateidx_mcs_mask[i][j])
+ if (~sdata->rc_rateidx_mcs_mask[i][j]) {
sdata->rc_has_mcs_mask[i] = true;
+ break;
+ }
+ }

- if (~sdata->rc_rateidx_vht_mcs_mask[i][j])
+ for (j = 0; j < NL80211_VHT_NSS_MAX; j++) {
+ if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) {
sdata->rc_has_vht_mcs_mask[i] = true;
-
- if (sdata->rc_has_mcs_mask[i] &&
- sdata->rc_has_vht_mcs_mask[i])
break;
+ }
}
}

--
2.1.4

2015-08-21 13:25:00

by Lorenzo Bianconi

[permalink] [raw]

Subject: Re: [PATCH] mac80211: fix VHT MCS mask array overrun

> From: Johannes Berg <[email protected]>
>
> The HT MCS mask has 9 bytes, the VHT one only has 8 streams.
> Split the loops to handle this correctly.
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Johannes Berg <[email protected]>
> ---
> net/mac80211/cfg.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
> index 685ec13ed7c2..f4ed256c2d8e 100644
> --- a/net/mac80211/cfg.c
> +++ b/net/mac80211/cfg.c
> @@ -2514,15 +2514,17 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
> continue;
>
> for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
> - if (~sdata->rc_rateidx_mcs_mask[i][j])
> + if (~sdata->rc_rateidx_mcs_mask[i][j]) {
> sdata->rc_has_mcs_mask[i] = true;
> + break;
> + }
> + }
>
> - if (~sdata->rc_rateidx_vht_mcs_mask[i][j])
> + for (j = 0; j < NL80211_VHT_NSS_MAX; j++) {
> + if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) {
> sdata->rc_has_vht_mcs_mask[i] = true;
> -
> - if (sdata->rc_has_mcs_mask[i] &&
> - sdata->rc_has_vht_mcs_mask[i])
> break;
> + }
> }
> }
>
> --
> 2.1.4
>

Acked-by: Lorenzo Bianconi <[email protected]>

Thanks,

Lorenzo

--
UNIX is Sexy: who | grep -i blonde | talk; cd ~; wine; talk; touch;
unzip; touch; strip; gasp; finger; gasp; mount; fsck; more; yes; gasp;
umount; make clean; sleep