From owner-freebsd-wireless@freebsd.org  Mon May 16 21:43:01 2016
Return-Path: <owner-freebsd-wireless@freebsd.org>
Delivered-To: freebsd-wireless@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7B5CBB3847D
 for <freebsd-wireless@mailman.ysv.freebsd.org>;
 Mon, 16 May 2016 21:43:01 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 5737511DA
 for <freebsd-wireless@FreeBSD.org>; Mon, 16 May 2016 21:43:01 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
 by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u4GLgs8d072880
 for <freebsd-wireless@FreeBSD.org>; Mon, 16 May 2016 14:42:58 -0700 (PDT)
 (envelope-from truckman@FreeBSD.org)
Message-Id: <201605162142.u4GLgs8d072880@gw.catspoiler.org>
Date: Mon, 16 May 2016 12:42:50 -0700 (PDT)
From: Don Lewis <truckman@FreeBSD.org>
Subject: minor array overflow in ifconfig set80211chanlist()
To: freebsd-wireless@FreeBSD.org
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
X-BeenThere: freebsd-wireless@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions of 802.11 stack,
 tools device driver development." <freebsd-wireless.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-wireless/>
List-Post: <mailto:freebsd-wireless@freebsd.org>
List-Help: <mailto:freebsd-wireless-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-wireless>, 
 <mailto:freebsd-wireless-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2016 21:43:01 -0000

I asked adrian@ privately and he sent me here ...

Coverity is complaining about an array overflow in set80211chanlist().

The code in question is:
                        if (first > IEEE80211_CHAN_MAX)
                                errx(-1, "channel %u out of range, max %u",
                                        first, IEEE80211_CHAN_MAX);
                        setbit(chanlist.ic_channels, first);

The value of IEEE80211_CHAN_MAX is 256, so first could be as large as
256 and setbit() would still be called.

The ifconfig man page says that channel numbers should be in the range
1 to 255, so I think the correct fix would be to change this test (as
well as others that follow) to >= IEEE80211_CHAN_MAX.

Does that look correct?

Adrian suggested that maybe IEEE80211_CHAN_MAX should be 255.