Return-path: Received: from mga01.intel.com ([192.55.52.88]:29340 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751660AbbHNEcD convert rfc822-to-8bit (ORCPT ); Fri, 14 Aug 2015 00:32:03 -0400 From: "Grumbach, Emmanuel" To: Adrien Schildknecht , "Berg, Johannes" CC: "ilw@linux.intel.com" , "kvalo@codeaurora.org" , "linux-wireless@vger.kernel.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] iwlwifi: out-of-bounds access in iwl_init_sband_channels Date: Fri, 14 Aug 2015 04:31:55 +0000 Message-ID: <0BA3FCBA62E2DC44AF3030971E174FB32E7EA2CE@hasmsx107.ger.corp.intel.com> (sfid-20150814_063230_043172_C765F948) References: <1439512532-7901-1-git-send-email-adrien+dev@schischi.me> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: Hi, On 08/14/2015 03:36 AM, Adrien Schildknecht wrote: > Both loops of this function compare data from the 'chan' array and then > check if the index is valid. > > The 2 conditions should be inverted to avoid an out-of-bounds access. > Was that found by a static analyzer or any other automated tool, or was that the result of your very careful review? > Signed-off-by: Adrien Schildknecht > --- > drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > index 21302b6..acc3d18 100644 > --- a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > +++ b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c > @@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data, > struct ieee80211_channel *chan = &data->channels[0]; > int n = 0, idx = 0; > > - while (chan->band != band && idx < n_channels) > + while (idx < n_channels && chan->band != band) > chan = &data->channels[++idx]; > > sband->channels = &data->channels[idx]; > > - while (chan->band == band && idx < n_channels) { > + while (idx < n_channels && chan->band == band) { > chan = &data->channels[++idx]; > n++; > } > Looks fine - I'll pick it up.