Re: CVS commit: src/sys/dev/pci

Tue, 16 Jan 2018 00:41:00 -0800 

Hi maxv,

there is a similar code fragment in ic/bwfm.c:bwfm_scan_node.
I am not sure what I'm looking at. Could it be wrong too?

Thanks.

On Tue, Jan 16, 2018 at 07:05:25AM +0000, Maxime Villard wrote:
> Module Name:  src
> Committed By: maxv
> Date:         Tue Jan 16 07:05:25 UTC 2018
> 
> Modified Files:
>       src/sys/dev/pci: if_ipw.c if_iwi.c if_iwn.c
> 
> Log Message:
> Fix overflow.
> 
> 
> To generate a diff of this commit:
> cvs rdiff -u -r1.66 -r1.67 src/sys/dev/pci/if_ipw.c
> cvs rdiff -u -r1.104 -r1.105 src/sys/dev/pci/if_iwi.c
> cvs rdiff -u -r1.86 -r1.87 src/sys/dev/pci/if_iwn.c
> 
> Please note that diffs are not public domain; they are subject to the
> copyright notices on the relevant files.
> 

> Modified files:
> 
> Index: src/sys/dev/pci/if_ipw.c
> diff -u src/sys/dev/pci/if_ipw.c:1.66 src/sys/dev/pci/if_ipw.c:1.67
> --- src/sys/dev/pci/if_ipw.c:1.66     Mon Oct 23 09:31:18 2017
> +++ src/sys/dev/pci/if_ipw.c  Tue Jan 16 07:05:24 2018
> @@ -1,4 +1,4 @@
> -/*   $NetBSD: if_ipw.c,v 1.66 2017/10/23 09:31:18 msaitoh Exp $      */
> +/*   $NetBSD: if_ipw.c,v 1.67 2018/01/16 07:05:24 maxv Exp $ */
>  /*   FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp 
>         */
>  
>  /*-
> @@ -29,7 +29,7 @@
>   */
>  
>  #include <sys/cdefs.h>
> -__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.66 2017/10/23 09:31:18 msaitoh Exp 
> $");
> +__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.67 2018/01/16 07:05:24 maxv Exp $");
>  
>  /*-
>   * Intel(R) PRO/Wireless 2100 MiniPCI driver
> @@ -1001,12 +1001,13 @@ ipw_fix_channel(struct ieee80211com *ic,
>       efrm = mtod(m, uint8_t *) + m->m_len;
>  
>       frm += 12;      /* skip tstamp, bintval and capinfo fields */
> -     while (frm < efrm) {
> -             if (*frm == IEEE80211_ELEMID_DSPARMS)
> +     while (frm + 2 < efrm) {
> +             if (*frm == IEEE80211_ELEMID_DSPARMS) {
>  #if IEEE80211_CHAN_MAX < 255
> -             if (frm[2] <= IEEE80211_CHAN_MAX)
> +                     if (frm[2] <= IEEE80211_CHAN_MAX)
>  #endif
> -                     ic->ic_curchan = &ic->ic_channels[frm[2]];
> +                             ic->ic_curchan = &ic->ic_channels[frm[2]];
> +             }
>  
>               frm += frm[1] + 2;
>       }
> 
> Index: src/sys/dev/pci/if_iwi.c
> diff -u src/sys/dev/pci/if_iwi.c:1.104 src/sys/dev/pci/if_iwi.c:1.105
> --- src/sys/dev/pci/if_iwi.c:1.104    Mon Oct 23 09:28:13 2017
> +++ src/sys/dev/pci/if_iwi.c  Tue Jan 16 07:05:24 2018
> @@ -1,4 +1,4 @@
> -/*   $NetBSD: if_iwi.c,v 1.104 2017/10/23 09:28:13 msaitoh Exp $  */
> +/*   $NetBSD: if_iwi.c,v 1.105 2018/01/16 07:05:24 maxv Exp $  */
>  /*   $OpenBSD: if_iwi.c,v 1.111 2010/11/15 19:11:57 damien Exp $     */
>  
>  /*-
> @@ -19,7 +19,7 @@
>   */
>  
>  #include <sys/cdefs.h>
> -__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.104 2017/10/23 09:28:13 msaitoh Exp 
> $");
> +__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.105 2018/01/16 07:05:24 maxv Exp 
> $");
>  
>  /*-
>   * Intel(R) PRO/Wireless 2200BG/2225BG/2915ABG driver
> @@ -1126,12 +1126,13 @@ iwi_fix_channel(struct ieee80211com *ic,
>       efrm = mtod(m, uint8_t *) + m->m_len;
>  
>       frm += 12;      /* skip tstamp, bintval and capinfo fields */
> -     while (frm < efrm) {
> -             if (*frm == IEEE80211_ELEMID_DSPARMS)
> +     while (frm + 2 < efrm) {
> +             if (*frm == IEEE80211_ELEMID_DSPARMS) {
>  #if IEEE80211_CHAN_MAX < 255
> -             if (frm[2] <= IEEE80211_CHAN_MAX)
> +                     if (frm[2] <= IEEE80211_CHAN_MAX)
>  #endif
> -                     ic->ic_curchan = &ic->ic_channels[frm[2]];
> +                             ic->ic_curchan = &ic->ic_channels[frm[2]];
> +             }
>  
>               frm += frm[1] + 2;
>       }
> 
> Index: src/sys/dev/pci/if_iwn.c
> diff -u src/sys/dev/pci/if_iwn.c:1.86 src/sys/dev/pci/if_iwn.c:1.87
> --- src/sys/dev/pci/if_iwn.c:1.86     Mon Oct 23 09:31:18 2017
> +++ src/sys/dev/pci/if_iwn.c  Tue Jan 16 07:05:24 2018
> @@ -1,4 +1,4 @@
> -/*   $NetBSD: if_iwn.c,v 1.86 2017/10/23 09:31:18 msaitoh Exp $      */
> +/*   $NetBSD: if_iwn.c,v 1.87 2018/01/16 07:05:24 maxv Exp $ */
>  /*   $OpenBSD: if_iwn.c,v 1.135 2014/09/10 07:22:09 dcoppa Exp $     */
>  
>  /*-
> @@ -22,7 +22,7 @@
>   * adapters.
>   */
>  #include <sys/cdefs.h>
> -__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.86 2017/10/23 09:31:18 msaitoh Exp 
> $");
> +__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.87 2018/01/16 07:05:24 maxv Exp $");
>  
>  #define IWN_USE_RBUF /* Use local storage for RX */
>  #undef IWN_HWCRYPTO  /* XXX does not even compile yet */
> @@ -6607,12 +6607,13 @@ iwn_fix_channel(struct ieee80211com *ic,
>       efrm = mtod(m, uint8_t *) + m->m_len;
>  
>       frm += 12;      /* skip tstamp, bintval and capinfo fields */
> -     while (frm < efrm) {
> -             if (*frm == IEEE80211_ELEMID_DSPARMS)
> +     while (frm + 2 < efrm) {
> +             if (*frm == IEEE80211_ELEMID_DSPARMS) {
>  #if IEEE80211_CHAN_MAX < 255
> -             if (frm[2] <= IEEE80211_CHAN_MAX)
> +                     if (frm[2] <= IEEE80211_CHAN_MAX)
>  #endif
> -                     ic->ic_curchan = &ic->ic_channels[frm[2]];
> +                             ic->ic_curchan = &ic->ic_channels[frm[2]];
> +             }
>  
>               frm += frm[1] + 2;
>       }
>

Reply via email to