summaryrefslogtreecommitdiff
path: root/sys/dev/pci
diff options
context:
space:
mode:
authorDamien Bergamini <damien@cvs.openbsd.org>2006-10-22 08:25:44 +0000
committerDamien Bergamini <damien@cvs.openbsd.org>2006-10-22 08:25:44 +0000
commit1658f626efe98badfc47aaa798c7463bac80228b (patch)
tree038a445e2b7e5ba616055bf03e93ec152a56dbd6 /sys/dev/pci
parent0151bcc827a0bd4290ad26023a7649320025d166 (diff)
Check that ni->ni_rates.rs_nrates is not greater than sizeof rs.rates in
iwi_auth_and_assoc() before copying the rate set. The firmware command allows a maximum of 12 rates to be defined while the ieee80211_rateset structure can contain up to 15 rates. Notice that this should not happen since the rate set is supposed to be negotiated at that time but Jeremie Le Hen sees some evidence of this happening in FreeBSD. In case it happens, print a diagnostic message and truncate the rate set. Pointed out by Jeremie Le Hen.
Diffstat (limited to 'sys/dev/pci')
-rw-r--r--sys/dev/pci/if_iwi.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c
index a406bf9c431..a80a74d9bfd 100644
--- a/sys/dev/pci/if_iwi.c
+++ b/sys/dev/pci/if_iwi.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_iwi.c,v 1.75 2006/09/29 05:34:25 brad Exp $ */
+/* $OpenBSD: if_iwi.c,v 1.76 2006/10/22 08:25:43 damien Exp $ */
/*-
* Copyright (c) 2004-2006
@@ -2086,6 +2086,16 @@ iwi_auth_and_assoc(struct iwi_softc *sc)
IWI_MODE_11G;
rs.type = IWI_RATESET_TYPE_NEGOTIATED;
rs.nrates = ni->ni_rates.rs_nrates;
+ if (rs.nrates > sizeof rs.rates) {
+#ifdef DIAGNOSTIC
+ /* should not happen since the rates are negotiated */
+ printf("%s: XXX too many rates (count=%d, last=%d)\n",
+ sc->sc_dev.dv_xname, ni->ni_rates.rs_nrates,
+ ni->ni_rates.rs_rates[ni->ni_rates.rs_nrates - 1] &
+ IEEE80211_RATE_VAL);
+#endif
+ rs.nrates = sizeof rs.rates;
+ }
bcopy(ni->ni_rates.rs_rates, rs.rates, rs.nrates);
DPRINTF(("Setting negotiated rates (%u)\n", rs.nrates));
error = iwi_cmd(sc, IWI_CMD_SET_RATES, &rs, sizeof rs, 1);