minor array overflow in ifconfig set80211chanlist()
Don Lewis
truckman at FreeBSD.org
Mon May 16 21:43:01 UTC 2016
I asked adrian@ privately and he sent me here ...
Coverity is complaining about an array overflow in set80211chanlist().
The code in question is:
if (first > IEEE80211_CHAN_MAX)
errx(-1, "channel %u out of range, max %u",
first, IEEE80211_CHAN_MAX);
setbit(chanlist.ic_channels, first);
The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
256 and setbit() would still be called.
The ifconfig man page says that channel numbers should be in the range
1 to 255, so I think the correct fix would be to change this test (as
well as others that follow) to >= IEEE80211_CHAN_MAX.
Does that look correct?
Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.
More information about the freebsd-wireless
mailing list