Re: [PATCH] staging: wilc1000: fix infinite loop and out-of-bounds access

From: Ajay Singh
Date: Mon Apr 30 2018 - 10:29:35 EST


Reviewed-by: Ajay Singh <ajay.kathat@xxxxxxxxxxxxx>

On Mon, 30 Apr 2018 07:50:40 -0500
"Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx> wrote:

> If i < slot_id is initially true then it will remain true. Also,
> as i is being decremented it will end up accessing memory out of
> bounds.
>
> Fix this by incrementing *i* instead of decrementing it.

Nice catch!
Thanks for submitting the changes.

>
> Addresses-Coverity-ID: 1468454 ("Infinite loop")
> Fixes: faa657641081 ("staging: wilc1000: refactor scan() to free
> kmalloc memory on failure cases")
> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
> ---
>
> BTW... at first sight it seems to me that variables slot_id
> and i should be of type unsigned instead of signed.

Yes, 'slot_id' & 'i' can be changed to unsigned int.

>
> drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c
> b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c index
> 3ca0c97..67104e8 100644 ---
> a/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c +++
> b/drivers/staging/wilc1000/wilc_wfi_cfgoperations.c @@ -608,7
> +608,7 @@ wilc_wfi_cfg_alloc_fill_ssid(struct cfg80211_scan_request
> *request, out_free:
>
> - for (i = 0; i < slot_id ; i--)
> + for (i = 0; i < slot_id; i++)
> kfree(ntwk->net_info[i].ssid);
>
> kfree(ntwk->net_info);



Regards,
Ajay