diff options
author | avos <avos@FreeBSD.org> | 2016-01-07 18:41:03 +0000 |
---|---|---|
committer | avos <avos@FreeBSD.org> | 2016-01-07 18:41:03 +0000 |
commit | 252aa9ecdf74fb3dcb03b24e1f99ae5d58d3b742 (patch) | |
tree | 29432600c74c3421aff456667f70f13cde56fddc /sys/dev/usb/wlan | |
parent | f0fdf5da87facac461a6cf7a009493b80f453c3b (diff) | |
download | FreeBSD-src-252aa9ecdf74fb3dcb03b24e1f99ae5d58d3b742.zip FreeBSD-src-252aa9ecdf74fb3dcb03b24e1f99ae5d58d3b742.tar.gz |
net80211 drivers: fix ieee80211_init_channels() usage
Fix out-of-bounds read (all) / write (11n capable) for drivers
that are using ieee80211_init_channels() to initialize channel list.
Tested with:
* RTL8188EU, STA mode.
* RTL8188CUS, STA mode.
* WUSB54GC, HOSTAP mode.
Approved by: adrian (mentor)
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D4818
Diffstat (limited to 'sys/dev/usb/wlan')
-rw-r--r-- | sys/dev/usb/wlan/if_rsu.c | 13 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_rum.c | 13 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_run.c | 13 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_uath.c | 13 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_upgt.c | 11 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_ural.c | 13 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_urtw.c | 11 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_urtwn.c | 10 | ||||
-rw-r--r-- | sys/dev/usb/wlan/if_zyd.c | 11 |
9 files changed, 58 insertions, 50 deletions
diff --git a/sys/dev/usb/wlan/if_rsu.c b/sys/dev/usb/wlan/if_rsu.c index ea89bff..0dcde19 100644 --- a/sys/dev/usb/wlan/if_rsu.c +++ b/sys/dev/usb/wlan/if_rsu.c @@ -403,7 +403,8 @@ rsu_attach(device_t self) struct rsu_softc *sc = device_get_softc(self); struct ieee80211com *ic = &sc->sc_ic; int error; - uint8_t iface_index, bands; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index; struct usb_interface *iface; const char *rft; @@ -531,12 +532,12 @@ rsu_attach(device_t self) } /* Set supported .11b and .11g rates. */ - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); if (sc->sc_ht) - setbit(&bands, IEEE80211_MODE_11NG); - ieee80211_init_channels(ic, NULL, &bands); + setbit(bands, IEEE80211_MODE_11NG); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = rsu_raw_xmit; diff --git a/sys/dev/usb/wlan/if_rum.c b/sys/dev/usb/wlan/if_rum.c index 02b82ef..3fada69 100644 --- a/sys/dev/usb/wlan/if_rum.c +++ b/sys/dev/usb/wlan/if_rum.c @@ -468,8 +468,9 @@ rum_attach(device_t self) struct usb_attach_arg *uaa = device_get_ivars(self); struct rum_softc *sc = device_get_softc(self); struct ieee80211com *ic = &sc->sc_ic; - uint8_t iface_index, bands; uint32_t tmp; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index; int error, ntries; device_set_usb_desc(self); @@ -537,12 +538,12 @@ rum_attach(device_t self) IEEE80211_CRYPTO_TKIPMIC | IEEE80211_CRYPTO_TKIP; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); if (sc->rf_rev == RT2573_RF_5225 || sc->rf_rev == RT2573_RF_5226) - setbit(&bands, IEEE80211_MODE_11A); - ieee80211_init_channels(ic, NULL, &bands); + setbit(bands, IEEE80211_MODE_11A); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_update_promisc = rum_update_promisc; diff --git a/sys/dev/usb/wlan/if_run.c b/sys/dev/usb/wlan/if_run.c index 1ad9f60..7a10d2c 100644 --- a/sys/dev/usb/wlan/if_run.c +++ b/sys/dev/usb/wlan/if_run.c @@ -704,8 +704,9 @@ run_attach(device_t self) struct usb_attach_arg *uaa = device_get_ivars(self); struct ieee80211com *ic = &sc->sc_ic; uint32_t ver; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index; int ntries, error; - uint8_t iface_index, bands; device_set_usb_desc(self); sc->sc_udev = uaa->device; @@ -785,14 +786,14 @@ run_attach(device_t self) ic->ic_flags |= IEEE80211_F_DATAPAD; ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 || sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 || sc->rf_rev == RT5592_RF_5592) - setbit(&bands, IEEE80211_MODE_11A); - ieee80211_init_channels(ic, NULL, &bands); + setbit(bands, IEEE80211_MODE_11A); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); diff --git a/sys/dev/usb/wlan/if_uath.c b/sys/dev/usb/wlan/if_uath.c index 747d49d..404fdd8 100644 --- a/sys/dev/usb/wlan/if_uath.c +++ b/sys/dev/usb/wlan/if_uath.c @@ -328,7 +328,8 @@ uath_attach(device_t dev) struct uath_softc *sc = device_get_softc(dev); struct usb_attach_arg *uaa = device_get_ivars(dev); struct ieee80211com *ic = &sc->sc_ic; - uint8_t bands, iface_index = UATH_IFACE_INDEX; /* XXX */ + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index = UATH_IFACE_INDEX; /* XXX */ usb_error_t error; sc->sc_dev = dev; @@ -431,13 +432,13 @@ uath_attach(device_t dev) /* put a regulatory domain to reveal informations. */ uath_regdomain = sc->sc_devcap.regDomain; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); if ((sc->sc_devcap.analog5GhzRevision & 0xf0) == 0x30) - setbit(&bands, IEEE80211_MODE_11A); + setbit(bands, IEEE80211_MODE_11A); /* XXX turbo */ - ieee80211_init_channels(ic, NULL, &bands); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = uath_raw_xmit; diff --git a/sys/dev/usb/wlan/if_upgt.c b/sys/dev/usb/wlan/if_upgt.c index 8030c6f..7f1e8ad 100644 --- a/sys/dev/usb/wlan/if_upgt.c +++ b/sys/dev/usb/wlan/if_upgt.c @@ -243,7 +243,8 @@ upgt_attach(device_t dev) struct upgt_softc *sc = device_get_softc(dev); struct ieee80211com *ic = &sc->sc_ic; struct usb_attach_arg *uaa = device_get_ivars(dev); - uint8_t bands, iface_index = UPGT_IFACE_INDEX; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index = UPGT_IFACE_INDEX; int error; sc->sc_dev = dev; @@ -337,10 +338,10 @@ upgt_attach(device_t dev) | IEEE80211_C_WPA /* 802.11i */ ; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); - ieee80211_init_channels(ic, NULL, &bands); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = upgt_raw_xmit; diff --git a/sys/dev/usb/wlan/if_ural.c b/sys/dev/usb/wlan/if_ural.c index 4d84e5a..328b0a2 100644 --- a/sys/dev/usb/wlan/if_ural.c +++ b/sys/dev/usb/wlan/if_ural.c @@ -424,7 +424,8 @@ ural_attach(device_t self) struct usb_attach_arg *uaa = device_get_ivars(self); struct ural_softc *sc = device_get_softc(self); struct ieee80211com *ic = &sc->sc_ic; - uint8_t iface_index, bands; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index; int error; device_set_usb_desc(self); @@ -473,12 +474,12 @@ ural_attach(device_t self) | IEEE80211_C_WPA /* 802.11i */ ; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); if (sc->rf_rev == RAL_RF_5222) - setbit(&bands, IEEE80211_MODE_11A); - ieee80211_init_channels(ic, NULL, &bands); + setbit(bands, IEEE80211_MODE_11A); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_update_promisc = ural_update_promisc; diff --git a/sys/dev/usb/wlan/if_urtw.c b/sys/dev/usb/wlan/if_urtw.c index 105fd9d..0f7b4d9 100644 --- a/sys/dev/usb/wlan/if_urtw.c +++ b/sys/dev/usb/wlan/if_urtw.c @@ -785,7 +785,8 @@ urtw_attach(device_t dev) struct urtw_softc *sc = device_get_softc(dev); struct usb_attach_arg *uaa = device_get_ivars(dev); struct ieee80211com *ic = &sc->sc_ic; - uint8_t bands, iface_index = URTW_IFACE_INDEX; /* XXX */ + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index = URTW_IFACE_INDEX; /* XXX */ uint16_t n_setup; uint32_t data; usb_error_t error; @@ -876,10 +877,10 @@ urtw_attach(device_t dev) IEEE80211_C_BGSCAN | /* capable of bg scanning */ IEEE80211_C_WPA; /* 802.11i */ - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); - ieee80211_init_channels(ic, NULL, &bands); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = urtw_raw_xmit; diff --git a/sys/dev/usb/wlan/if_urtwn.c b/sys/dev/usb/wlan/if_urtwn.c index 73eda59..13f3926 100644 --- a/sys/dev/usb/wlan/if_urtwn.c +++ b/sys/dev/usb/wlan/if_urtwn.c @@ -439,7 +439,7 @@ urtwn_attach(device_t self) struct usb_attach_arg *uaa = device_get_ivars(self); struct urtwn_softc *sc = device_get_softc(self); struct ieee80211com *ic = &sc->sc_ic; - uint8_t bands; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; int error; device_set_usb_desc(self); @@ -525,10 +525,10 @@ urtwn_attach(device_t self) IEEE80211_CRYPTO_TKIP | IEEE80211_CRYPTO_AES_CCM; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); - ieee80211_init_channels(ic, NULL, &bands); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = urtwn_raw_xmit; diff --git a/sys/dev/usb/wlan/if_zyd.c b/sys/dev/usb/wlan/if_zyd.c index d23f306..4463fc6 100644 --- a/sys/dev/usb/wlan/if_zyd.c +++ b/sys/dev/usb/wlan/if_zyd.c @@ -334,7 +334,8 @@ zyd_attach(device_t dev) struct usb_attach_arg *uaa = device_get_ivars(dev); struct zyd_softc *sc = device_get_softc(dev); struct ieee80211com *ic = &sc->sc_ic; - uint8_t iface_index, bands; + uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)]; + uint8_t iface_index; int error; if (uaa->info.bcdDevice < 0x4330) { @@ -387,10 +388,10 @@ zyd_attach(device_t dev) | IEEE80211_C_WPA /* 802.11i */ ; - bands = 0; - setbit(&bands, IEEE80211_MODE_11B); - setbit(&bands, IEEE80211_MODE_11G); - ieee80211_init_channels(ic, NULL, &bands); + memset(bands, 0, sizeof(bands)); + setbit(bands, IEEE80211_MODE_11B); + setbit(bands, IEEE80211_MODE_11G); + ieee80211_init_channels(ic, NULL, bands); ieee80211_ifattach(ic); ic->ic_raw_xmit = zyd_raw_xmit; |