Patchwork orinoco: Fix walking past the end of the buffer

login
register
mail settings
Submitter Denis Kirjanov
Date Aug. 11, 2010, 8:32 p.m.
Message ID <20100811203216.GA25168@hera.kernel.org>
Download mbox | patch
Permalink /patch/61507/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Denis Kirjanov - Aug. 11, 2010, 8:32 p.m.
Fix walking past the end of the bitrate_table array
in the case when the loop counter == BITRATE_TABLE_SIZE.
Mark bitrate as invalid in this case for the orinoco_ioctl_setrate()

Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
---

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dave - Aug. 14, 2010, 9:45 a.m.
On Wed, Aug 11, 2010 at 9:32 PM, Denis Kirjanov <dkirjanov@kernel.org> wrote:
> diff --git a/drivers/net/wireless/orinoco/hw.c b/drivers/net/wireless/orinoco/hw.c
> index 077baa8..191bc03 100644
> --- a/drivers/net/wireless/orinoco/hw.c
> +++ b/drivers/net/wireless/orinoco/hw.c
> @@ -765,9 +765,12 @@ int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
>                        if (bitrate_table[i].intersil_txratectrl == val)
>                                break;
>
> -               if (i >= BITRATE_TABLE_SIZE)
> +               if (i >= BITRATE_TABLE_SIZE) {
>                        printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
>                               priv->ndev->name, val);
> +                       *bitrate = 100001; /* Mark as invalid */

We should propogate the failure by returning an error in the return
code rather than a cryptic bitrate value. The calling function(s)
should then propogate the error through wext/cfg80211 as appropriate.

> +                       break;
> +               }
>
>                *bitrate = bitrate_table[i].bitrate * 100000;
>                break;

We can also make the structure easier to understand by setting the
bitrate within the for loop. Something like the following (I only have
access to gmail ATM, so can't format a proper patch):

		for (i = 0; i < BITRATE_TABLE_SIZE; i++)
			if (bitrate_table[i].intersil_txratectrl == val) {
				*bitrate = bitrate_table[i].bitrate * 100000;
				break;
			}

		if (i >= BITRATE_TABLE_SIZE) {
			printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
			       priv->ndev->name, val);
			err = -EIO; /* maybe chose a better value... */
		}

		break;

Could you update the patch along those lines please?

Thanks,

Dave.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/wireless/orinoco/hw.c b/drivers/net/wireless/orinoco/hw.c
index 077baa8..191bc03 100644
--- a/drivers/net/wireless/orinoco/hw.c
+++ b/drivers/net/wireless/orinoco/hw.c
@@ -765,9 +765,12 @@  int orinoco_hw_get_act_bitrate(struct orinoco_private *priv, int *bitrate)
 			if (bitrate_table[i].intersil_txratectrl == val)
 				break;
 
-		if (i >= BITRATE_TABLE_SIZE)
+		if (i >= BITRATE_TABLE_SIZE) {
 			printk(KERN_INFO "%s: Unable to determine current bitrate (0x%04hx)\n",
 			       priv->ndev->name, val);
+			*bitrate = 100001; /* Mark as invalid */
+			break;
+		}
 
 		*bitrate = bitrate_table[i].bitrate * 100000;
 		break;