AW: [PATCH] ath6kl: prevent potential array overflow in ath6kl_add_new_sta()

Commit Message

Walter Harms Aug. 14, 2020, 8:49 a.m. UTC

nitpicking:

the debugtrace will give the impression that the function is 
running. perhaps it is more clever to have this after the check.

jm2c,
 wh

Comments

Kalle Valo Aug. 14, 2020, 10:29 a.m. UTC | #1

Walter Harms <wharms@bfs.de> writes:

> the debugtrace will give the impression that the function is 
> running. perhaps it is more clever to have this after the check.

But it's possible to deduce from the debug message that aid is out of
limit, so I prefer the way Dan did it.

Please don't top post. Also your mails are not visible in patchwork and
are easily missed, most likely due to using "AW:" in the subject.

https://patchwork.kernel.org/patch/11712551/

Dan Carpenter Aug. 14, 2020, 11:17 a.m. UTC | #2

On Fri, Aug 14, 2020 at 08:49:43AM +0000, Walter Harms wrote:
> nitpicking:
> 
> the debugtrace will give the impression that the function is 
> running. perhaps it is more clever to have this after the check.
> 

The debug is more useful they way I did it.  Otherwise it doesn't
print anything.  This is also the normal way to do this sort of
debugging.

regards,
dan carpenter

Patch

diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c
index 5e7ea838a921..814131a0680a 100644
--- a/drivers/net/wireless/ath/ath6kl/main.c
+++ b/drivers/net/wireless/ath/ath6kl/main.c
@@ -430,6 +430,9 @@  void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr,

        ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid);

+       if (aid < 1 || aid > AP_MAX_NUM_STA)
+               return;
+
        if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) {
                struct ieee80211_mgmt *mgmt =
                        (struct ieee80211_mgmt *) assoc_info;