leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

iwlwifi: out-of-bounds access in iwl_init_sband_channels

Browse Source 
KASan error report:
==================================================================
BUG: KASan: out of bounds access in iwl_init_sband_channels+0x207/0x260 [iwlwifi] at addr ffff8800c2d0aac8
Read of size 4 by task modprobe/329
==================================================================

Both loops of this function compare data from the 'chan' array and then
check if the index is valid.

The 2 conditions should be inverted to avoid an out-of-bounds access.

Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
This commit is contained in:
Adrien Schildknecht 2015-08-14 02:35:32 +02:00 committed by Emmanuel Grumbach
parent da0fa5ebb2
commit e192cd121d
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c
View File

@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data,
struct ieee80211_channel *chan = &data->channels[0]; struct ieee80211_channel *chan = &data->channels[0];
int n = 0, idx = 0; int n = 0, idx = 0;
while (chan->band != band && idx < n_channels) while (idx < n_channels && chan->band != band)
chan = &data->channels[++idx]; chan = &data->channels[++idx];
sband->channels = &data->channels[idx]; sband->channels = &data->channels[idx];
while (chan->band == band && idx < n_channels) { while (idx < n_channels && chan->band == band) {
chan = &data->channels[++idx]; chan = &data->channels[++idx];
n++; n++;
} }