Module Name: src
Committed By: maxv
Date: Tue Jan 16 07:05:25 UTC 2018
Modified Files:
src/sys/dev/pci: if_ipw.c if_iwi.c if_iwn.c
Log Message:
Fix overflow.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/sys/dev/pci/if_ipw.c
cvs rdiff -u -r1.104 -r1.105 src/sys/dev/pci/if_iwi.c
cvs rdiff -u -r1.86 -r1.87 src/sys/dev/pci/if_iwn.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/if_ipw.c
diff -u src/sys/dev/pci/if_ipw.c:1.66 src/sys/dev/pci/if_ipw.c:1.67
--- src/sys/dev/pci/if_ipw.c:1.66 Mon Oct 23 09:31:18 2017
+++ src/sys/dev/pci/if_ipw.c Tue Jan 16 07:05:24 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: if_ipw.c,v 1.66 2017/10/23 09:31:18 msaitoh Exp $ */
+/* $NetBSD: if_ipw.c,v 1.67 2018/01/16 07:05:24 maxv Exp $ */
/* FreeBSD: src/sys/dev/ipw/if_ipw.c,v 1.15 2005/11/13 17:17:40 damien Exp */
/*-
@@ -29,7 +29,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.66 2017/10/23 09:31:18 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ipw.c,v 1.67 2018/01/16 07:05:24 maxv Exp $");
/*-
* Intel(R) PRO/Wireless 2100 MiniPCI driver
@@ -1001,12 +1001,13 @@ ipw_fix_channel(struct ieee80211com *ic,
efrm = mtod(m, uint8_t *) + m->m_len;
frm += 12; /* skip tstamp, bintval and capinfo fields */
- while (frm < efrm) {
- if (*frm == IEEE80211_ELEMID_DSPARMS)
+ while (frm + 2 < efrm) {
+ if (*frm == IEEE80211_ELEMID_DSPARMS) {
#if IEEE80211_CHAN_MAX < 255
- if (frm[2] <= IEEE80211_CHAN_MAX)
+ if (frm[2] <= IEEE80211_CHAN_MAX)
#endif
- ic->ic_curchan = &ic->ic_channels[frm[2]];
+ ic->ic_curchan = &ic->ic_channels[frm[2]];
+ }
frm += frm[1] + 2;
}
Index: src/sys/dev/pci/if_iwi.c
diff -u src/sys/dev/pci/if_iwi.c:1.104 src/sys/dev/pci/if_iwi.c:1.105
--- src/sys/dev/pci/if_iwi.c:1.104 Mon Oct 23 09:28:13 2017
+++ src/sys/dev/pci/if_iwi.c Tue Jan 16 07:05:24 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: if_iwi.c,v 1.104 2017/10/23 09:28:13 msaitoh Exp $ */
+/* $NetBSD: if_iwi.c,v 1.105 2018/01/16 07:05:24 maxv Exp $ */
/* $OpenBSD: if_iwi.c,v 1.111 2010/11/15 19:11:57 damien Exp $ */
/*-
@@ -19,7 +19,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.104 2017/10/23 09:28:13 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_iwi.c,v 1.105 2018/01/16 07:05:24 maxv Exp $");
/*-
* Intel(R) PRO/Wireless 2200BG/2225BG/2915ABG driver
@@ -1126,12 +1126,13 @@ iwi_fix_channel(struct ieee80211com *ic,
efrm = mtod(m, uint8_t *) + m->m_len;
frm += 12; /* skip tstamp, bintval and capinfo fields */
- while (frm < efrm) {
- if (*frm == IEEE80211_ELEMID_DSPARMS)
+ while (frm + 2 < efrm) {
+ if (*frm == IEEE80211_ELEMID_DSPARMS) {
#if IEEE80211_CHAN_MAX < 255
- if (frm[2] <= IEEE80211_CHAN_MAX)
+ if (frm[2] <= IEEE80211_CHAN_MAX)
#endif
- ic->ic_curchan = &ic->ic_channels[frm[2]];
+ ic->ic_curchan = &ic->ic_channels[frm[2]];
+ }
frm += frm[1] + 2;
}
Index: src/sys/dev/pci/if_iwn.c
diff -u src/sys/dev/pci/if_iwn.c:1.86 src/sys/dev/pci/if_iwn.c:1.87
--- src/sys/dev/pci/if_iwn.c:1.86 Mon Oct 23 09:31:18 2017
+++ src/sys/dev/pci/if_iwn.c Tue Jan 16 07:05:24 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: if_iwn.c,v 1.86 2017/10/23 09:31:18 msaitoh Exp $ */
+/* $NetBSD: if_iwn.c,v 1.87 2018/01/16 07:05:24 maxv Exp $ */
/* $OpenBSD: if_iwn.c,v 1.135 2014/09/10 07:22:09 dcoppa Exp $ */
/*-
@@ -22,7 +22,7 @@
* adapters.
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.86 2017/10/23 09:31:18 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_iwn.c,v 1.87 2018/01/16 07:05:24 maxv Exp $");
#define IWN_USE_RBUF /* Use local storage for RX */
#undef IWN_HWCRYPTO /* XXX does not even compile yet */
@@ -6607,12 +6607,13 @@ iwn_fix_channel(struct ieee80211com *ic,
efrm = mtod(m, uint8_t *) + m->m_len;
frm += 12; /* skip tstamp, bintval and capinfo fields */
- while (frm < efrm) {
- if (*frm == IEEE80211_ELEMID_DSPARMS)
+ while (frm + 2 < efrm) {
+ if (*frm == IEEE80211_ELEMID_DSPARMS) {
#if IEEE80211_CHAN_MAX < 255
- if (frm[2] <= IEEE80211_CHAN_MAX)
+ if (frm[2] <= IEEE80211_CHAN_MAX)
#endif
- ic->ic_curchan = &ic->ic_channels[frm[2]];
+ ic->ic_curchan = &ic->ic_channels[frm[2]];
+ }
frm += frm[1] + 2;
}
