| Message ID | 20211006073542.GD8404@kili (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | c1c8380b0320ab757e60ed90efc8b1992a943256 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [1/2] b43legacy: fix a lower bounds test | expand |
On Wed, 6 Oct 2021 10:35:42 +0300 Dan Carpenter <dan.carpenter@oracle.com> wrote: > The problem is that "channel" is an unsigned int, when it's less 5 the > value of "channel - 5" is not a negative number as one would expect but > is very high positive value instead. > > This means that "start" becomes a very high positive value. The result > of that is that we never enter the "for (i = start; i <= end; i++) {" > loop. Instead of storing the result from b43legacy_radio_aci_detect() > it just uses zero. > > Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This fix is correct, but making dead code go live can sometimes expose > bugs which were previously hiding and is always carries a slight risk. > > drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c > index 06891b4f837b..fdf78c10a05c 100644 > --- a/drivers/net/wireless/broadcom/b43legacy/radio.c > +++ b/drivers/net/wireless/broadcom/b43legacy/radio.c > @@ -283,7 +283,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) > & 0x7FFF); > b43legacy_set_all_gains(dev, 3, 8, 1); > > - start = (channel - 5 > 0) ? channel - 5 : 1; > + start = (channel > 5) ? channel - 5 : 1; > end = (channel + 5 < 14) ? channel + 5 : 13; > > for (i = start; i <= end; i++) { Nice finding. Acked-by: Michael Büsch <m@bues.ch>
Dan Carpenter <dan.carpenter@oracle.com> wrote: > The problem is that "channel" is an unsigned int, when it's less 5 the > value of "channel - 5" is not a negative number as one would expect but > is very high positive value instead. > > This means that "start" becomes a very high positive value. The result > of that is that we never enter the "for (i = start; i <= end; i++) {" > loop. Instead of storing the result from b43legacy_radio_aci_detect() > it just uses zero. > > Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > Acked-by: Michael Büsch <m@bues.ch> 2 patches applied to wireless-drivers-next.git, thanks. c1c8380b0320 b43legacy: fix a lower bounds test 9b793db5fca4 b43: fix a lower bounds test
diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c index 06891b4f837b..fdf78c10a05c 100644 --- a/drivers/net/wireless/broadcom/b43legacy/radio.c +++ b/drivers/net/wireless/broadcom/b43legacy/radio.c @@ -283,7 +283,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) & 0x7FFF); b43legacy_set_all_gains(dev, 3, 8, 1); - start = (channel - 5 > 0) ? channel - 5 : 1; + start = (channel > 5) ? channel - 5 : 1; end = (channel + 5 < 14) ? channel + 5 : 13; for (i = start; i <= end; i++) {
The problem is that "channel" is an unsigned int, when it's less 5 the value of "channel - 5" is not a negative number as one would expect but is very high positive value instead. This means that "start" becomes a very high positive value. The result of that is that we never enter the "for (i = start; i <= end; i++) {" loop. Instead of storing the result from b43legacy_radio_aci_detect() it just uses zero. Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- This fix is correct, but making dead code go live can sometimes expose bugs which were previously hiding and is always carries a slight risk. drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)