2011-11-26 20:29:59

by David Miller

Subject: prism54 bug...

DQpTb21lb25lIHBsZWFzZSBsb29rIGludG8gdGhpcy4NCg0KSW4gcHJpc20yX2lvY3RsX3NjYW5f
cmVxKCkgZ2NjIGdlbmVyYXRlcyBhIHdhcm5pbmc6DQoNCmRyaXZlcnMvbmV0L3dpcmVsZXNzL3By
aXNtNTQvaXNsX2lvY3RsLmM6IEluIGZ1bmN0aW9uIKFwcmlzbTJfaW9jdGxfc2Nhbl9yZXGiOg0K
ZHJpdmVycy9uZXQvd2lyZWxlc3MvcHJpc201NC9pc2xfaW9jdGwuYzoyNzMzOjE0OiB3YXJuaW5n
OiBhcnJheSBzdWJzY3JpcHQgaXMgYWJvdmUgYXJyYXkgYm91bmRzIFstV2FycmF5LWJvdW5kc10N
Cg0KaXQncyBhIHByZXR0eSBzZXJpb3VzIGlzc3VlLCBpdCdzIGFib3V0IHRoZSBjYWxsIHRvOg0K
DQoJCWN1cnJlbnRfZXYgPSBwcmlzbTU0X3RyYW5zbGF0ZV9ic3MobmRldiwgJmluZm8sIGN1cnJl
bnRfZXYsDQoJCQkJCQkgICBleHRyYSArIElXX1NDQU5fTUFYX0RBVEEsDQoJCQkJCQkgICAmKGJz
c2xpc3QtPmJzc2xpc3RbaV0pLA0KCQkJCQkJICAgbm9pc2UpOw0KDQppdCdzIG5vdCB0aGUgYnNz
bGlzdC0+YnNzbGlzdFtpXSB0aGluZywgdGhhdCdzIGZpbmUuDQoNCkl0J3MgImV4dHJhICsgSVdf
U0NBTl9NQVhfREFUQSIuDQoNCgljaGFyICpleHRyYSA9ICIiOw0KCWNoYXIgKmN1cnJlbnRfZXYg
PSAiZm9vIjsNCg0KYW5kIElXX1NDQU5fTUFYX0RBVEEgaXMgNDA5Ni4gIEVmZmVjdGl2ZWx5IHRo
ZXNlIGNhbGxzIGNyYXAgSVcgZW50cmllcw0KaW50byByYW5kb20gcGllY2VzIG9mIG1lbW9yeSBh
cyBmYXIgYXMgSSBjYW4gdGVsbC4NCg0KV2UgZWl0aGVyIG5lZWQgdG8gZmlndXJlIG91dCB3aGVy
ZSB0aGlzIGlvY3RsIGludGVyZmFjZSBleHBlY3RzIHRoZQ0KcmVzcG9uc2UgdG8gZ28sIG9yIHJl
bW92ZSB0aGUgaW9jdGwgYW5kIHRoaXMgY29kZSBlbnRpcmVseSBzaW5jZSBpdCdzDQpvYnZpb3Vz
bHkgbm90IGJlaW5nIHVzZWQuDQoNClRoYW5rcy4NCg==

2011-11-29 17:40:15

by Luis R. Rodriguez

Subject: Re: prism54 bug...

2011/11/26 David Miller <[email protected]>:
>
> Someone please look into this.
>
> In prism2_ioctl_scan_req() gcc generates a warning:
>
> drivers/net/wireless/prism54/isl_ioctl.c: In function ‘prism2_ioctl_scan_req’:
> drivers/net/wireless/prism54/isl_ioctl.c:2733:14: warning: array subscript is above array bounds [-Warray-bounds]
>
> it's a pretty serious issue, it's about the call to:
>
>                current_ev = prism54_translate_bss(ndev, &info, current_ev,
>                                                   extra + IW_SCAN_MAX_DATA,
>                                                   &(bsslist->bsslist[i]),
>                                                   noise);
>
> it's not the bsslist->bsslist[i] thing, that's fine.
>
> It's "extra + IW_SCAN_MAX_DATA".
>
>        char *extra = "";
>        char *current_ev = "foo";
>
> and IW_SCAN_MAX_DATA is 4096.  Effectively these calls crap IW entries
> into random pieces of memory as far as I can tell.
>
> We either need to figure out where this ioctl interface expects the
> response to go, or remove the ioctl and this code entirely since it's
> obviously not being used.

I'm going to kill all this shit. Thanks for the report.

Luis