diff options
| author |   Adrien Schildknecht <adrien+dev@schischi.me> | 2015-08-14 02:35:32 +0200 |
|---|---|---|
| committer |   Emmanuel Grumbach <emmanuel.grumbach@intel.com> | 2015-08-18 10:25:25 +0300 |
| commit | e192cd121dbe009f67eddd5171d588994b15486c (patch) | |
| tree | c2623a350ec624ccade516a509e66a5937df1c2b /drivers | |
| parent | iwlwifi: bump mvm firmware API to 16 (diff) | |
| download | linux-dev-e192cd121dbe009f67eddd5171d588994b15486c.tar.xz linux-dev-e192cd121dbe009f67eddd5171d588994b15486c.zip | |
iwlwifi: out-of-bounds access in iwl_init_sband_channels
KASan error report:
==================================================================
BUG: KASan: out of bounds access in iwl_init_sband_channels+0x207/0x260 [iwlwifi] at addr ffff8800c2d0aac8
Read of size 4 by task modprobe/329
==================================================================
Both loops of this function compare data from the 'chan' array and then
check if the index is valid.
The 2 conditions should be inverted to avoid an out-of-bounds access.
Signed-off-by: Adrien Schildknecht <adrien+dev@schischi.me>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c index 21302b6f2bfd..acc3d186c5c1 100644 --- a/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c +++ b/drivers/net/wireless/iwlwifi/iwl-eeprom-parse.c @@ -713,12 +713,12 @@ int iwl_init_sband_channels(struct iwl_nvm_data *data, struct ieee80211_channel *chan = &data->channels[0]; int n = 0, idx = 0; - while (chan->band != band && idx < n_channels) + while (idx < n_channels && chan->band != band) chan = &data->channels[++idx]; sband->channels = &data->channels[idx]; - while (chan->band == band && idx < n_channels) { + while (idx < n_channels && chan->band == band) { chan = &data->channels[++idx]; n++; } |