diff mbox series

[next] nl80211/cfg80211: fix potential infinite loop

Message ID 20201029222407.390218-1-colin.king@canonical.com
State New
Headers show
Series [next] nl80211/cfg80211: fix potential infinite loop | expand

Commit Message

Colin King Oct. 29, 2020, 10:24 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

The for-loop iterates with a u8 loop counter and compares this
with the loop upper limit of request->n_ssids which is an int type.
There is a potential infinite loop if n_ssids is larger than the
u8 loop counter, so fix this by making the loop counter an int.

Addresses-Coverity: ("Infinite loop")
Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/wireless/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Johannes Berg Oct. 30, 2020, 9:08 a.m. UTC | #1 
On Thu, 2020-10-29 at 22:24 +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>

> 

> The for-loop iterates with a u8 loop counter and compares this

> with the loop upper limit of request->n_ssids which is an int type.

> There is a potential infinite loop if n_ssids is larger than the

> u8 loop counter, so fix this by making the loop counter an int.


Makes sense, thanks. I'll apply it to next.

For the record, it shouldn't be possible for request->n_ssids to be
larger than what the driver limit was, and that's 20 by default and
doesn't make sense to be really much higher than that, so in practice
this won't happen.

johannes
diff mbox series

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 8d0e49c46db3..3409f37d838b 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -694,7 +694,7 @@  static  void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request,
 static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap,
 				     struct cfg80211_scan_request *request)
 {
-	u8 i;
+	int i;
 	u32 s_ssid;
 
 	for (i = 0; i < request->n_ssids; i++) {