From 252aa9ecdf74fb3dcb03b24e1f99ae5d58d3b742 Mon Sep 17 00:00:00 2001
From: avos <avos@FreeBSD.org>
Date: Thu, 7 Jan 2016 18:41:03 +0000
Subject: net80211 drivers: fix ieee80211_init_channels() usage

Fix out-of-bounds read (all) / write (11n capable) for drivers
that are using ieee80211_init_channels() to initialize channel list.

Tested with:
 * RTL8188EU, STA mode.
 * RTL8188CUS, STA mode.
 * WUSB54GC, HOSTAP mode.

Approved by:	adrian (mentor)
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D4818
---
 sys/dev/usb/wlan/if_run.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'sys/dev/usb/wlan/if_run.c')

diff --git a/sys/dev/usb/wlan/if_run.c b/sys/dev/usb/wlan/if_run.c
index 1ad9f60..7a10d2c 100644
--- a/sys/dev/usb/wlan/if_run.c
+++ b/sys/dev/usb/wlan/if_run.c
@@ -704,8 +704,9 @@ run_attach(device_t self)
 	struct usb_attach_arg *uaa = device_get_ivars(self);
 	struct ieee80211com *ic = &sc->sc_ic;
 	uint32_t ver;
+	uint8_t bands[howmany(IEEE80211_MODE_MAX, 8)];
+	uint8_t iface_index;
 	int ntries, error;
-	uint8_t iface_index, bands;
 
 	device_set_usb_desc(self);
 	sc->sc_udev = uaa->device;
@@ -785,14 +786,14 @@ run_attach(device_t self)
 	ic->ic_flags |= IEEE80211_F_DATAPAD;
 	ic->ic_flags_ext |= IEEE80211_FEXT_SWBMISS;
 
-	bands = 0;
-	setbit(&bands, IEEE80211_MODE_11B);
-	setbit(&bands, IEEE80211_MODE_11G);
+	memset(bands, 0, sizeof(bands));
+	setbit(bands, IEEE80211_MODE_11B);
+	setbit(bands, IEEE80211_MODE_11G);
 	if (sc->rf_rev == RT2860_RF_2750 || sc->rf_rev == RT2860_RF_2850 ||
 	    sc->rf_rev == RT3070_RF_3052 || sc->rf_rev == RT3593_RF_3053 ||
 	    sc->rf_rev == RT5592_RF_5592)
-		setbit(&bands, IEEE80211_MODE_11A);
-	ieee80211_init_channels(ic, NULL, &bands);
+		setbit(bands, IEEE80211_MODE_11A);
+	ieee80211_init_channels(ic, NULL, bands);
 
 	ieee80211_ifattach(ic);
 
-- 
cgit v1.1