Message ID | 20160411081520.GA17911@mwanda (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Kalle Valo |
Headers | show |
Dan Carpenter <dan.carpenter@oracle.com> writes: > Smatch complains that since "ev->peer_id" comes from skb->data that > means we can't trust it and have to do a bounds check on it to prevent > an array overflow. > > Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> In ath.git pending branch I modified the title to be a bit more unique: ath10k: add some sanity checks to peer_map_event() functions > --- > v2: Add a warning message. There is a checkpatch.pl warning that > the alignment should match the open parenthesis but I ignored it because > we're going off the end of the 80 character limit and this way is fine. In ath10k we have used 90 char limit so I fixed this in the pending branch. And actually I don't think checkpatch complains about the message format string length of a logging function like ath10k_warn().
Dan Carpenter <dan.carpenter@oracle.com> writes: > Smatch complains that since "ev->peer_id" comes from skb->data that > means we can't trust it and have to do a bounds check on it to prevent > an array overflow. > > Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup') > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Applied, thanks.
diff --git a/drivers/net/wireless/ath/ath10k/txrx.c b/drivers/net/wireless/ath/ath10k/txrx.c index 9369411..0885fce 100644 --- a/drivers/net/wireless/ath/ath10k/txrx.c +++ b/drivers/net/wireless/ath/ath10k/txrx.c @@ -190,6 +190,13 @@ void ath10k_peer_map_event(struct ath10k_htt *htt, struct ath10k *ar = htt->ar; struct ath10k_peer *peer; + if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS) { + ath10k_warn(ar, + "received htt peer map event with idx out of bounds: %hu\n", + ev->peer_id); + return; + } + spin_lock_bh(&ar->data_lock); peer = ath10k_peer_find(ar, ev->vdev_id, ev->addr); if (!peer) { @@ -218,6 +225,13 @@ void ath10k_peer_unmap_event(struct ath10k_htt *htt, struct ath10k *ar = htt->ar; struct ath10k_peer *peer; + if (ev->peer_id >= ATH10K_MAX_NUM_PEER_IDS) { + ath10k_warn(ar, + "received htt peer unmap event with idx out of bounds: %hu\n", + ev->peer_id); + return; + } + spin_lock_bh(&ar->data_lock); peer = ath10k_peer_find_by_id(ar, ev->peer_id); if (!peer) {
Smatch complains that since "ev->peer_id" comes from skb->data that means we can't trust it and have to do a bounds check on it to prevent an array overflow. Fixes: 6942726f7f7b ('ath10k: add fast peer_map lookup') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: Add a warning message. There is a checkpatch.pl warning that the alignment should match the open parenthesis but I ignored it because we're going off the end of the 80 character limit and this way is fine. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html