Check that ni->ni_rates.rs_nrates is not greater than sizeof rs.rates in

iwi_auth_and_assoc() before copying the rate set.
The firmware command allows a maximum of 12 rates to be defined while the
ieee80211_rateset structure can contain up to 15 rates.
Notice that this should not happen since the rate set is supposed to be
negotiated at that time but Jeremie Le Hen sees some evidence of this
happening in FreeBSD.
In case it happens, print a diagnostic message and truncate the rate set.

Pointed out by Jeremie Le Hen.

1 files changed, 11 insertions, 1 deletions

diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c
index a406bf9c431..a80a74d9bfd 100644
--- a/sys/dev/pci/if_iwi.c
+++ b/sys/dev/pci/if_iwi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwi.c,v 1.75 2006/09/29 05:34:25 brad Exp $	*/
+/*	$OpenBSD: if_iwi.c,v 1.76 2006/10/22 08:25:43 damien Exp $	*/
 
 /*-
  * Copyright (c) 2004-2006
@@ -2086,6 +2086,16 @@ iwi_auth_and_assoc(struct iwi_softc *sc)
 	    IWI_MODE_11G;
 	rs.type = IWI_RATESET_TYPE_NEGOTIATED;
 	rs.nrates = ni->ni_rates.rs_nrates;
+	if (rs.nrates > sizeof rs.rates) {
+#ifdef DIAGNOSTIC
+		/* should not happen since the rates are negotiated */
+		printf("%s: XXX too many rates (count=%d, last=%d)\n",
+		    sc->sc_dev.dv_xname, ni->ni_rates.rs_nrates,
+		    ni->ni_rates.rs_rates[ni->ni_rates.rs_nrates - 1] &
+		    IEEE80211_RATE_VAL);
+#endif
+		rs.nrates = sizeof rs.rates;
+	}
 	bcopy(ni->ni_rates.rs_rates, rs.rates, rs.nrates);
 	DPRINTF(("Setting negotiated rates (%u)\n", rs.nrates));
 	error = iwi_cmd(sc, IWI_CMD_SET_RATES, &rs, sizeof rs, 1);