Commit e192cd12 authored Aug 14, 2015 by Adrien Schildknecht Committed by Emmanuel Grumbach Aug 18, 2015

iwlwifi: out-of-bounds access in iwl_init_sband_channels



KASan error report:
==================================================================
BUG: KASan: out of bounds access in iwl_init_sband_channels+0x207/0x260 [iwlwifi] at addr ffff8800c2d0aac8
Read of size 4 by task modprobe/329
==================================================================

Both loops of this function compare data from the 'chan' array and then
check if the index is valid.

The 2 conditions should be inverted to avoid an out-of-bounds access.

Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

parent da0fa5eb

drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data,
		struct ieee80211_channel *chan = &data->channels[0];
		int n = 0, idx = 0;

		while (chan->band != band && idx < n_channels)
		while (idx < n_channels && chan->band != band)
		chan = &data->channels[++idx];

		sband->channels = &data->channels[idx];

		while (chan->band == band && idx < n_channels) {
		while (idx < n_channels && chan->band == band) {
		chan = &data->channels[++idx];
		n++;
		}