On 2018/09/26 18:23, Johannes Berg wrote:> I applied the first patch in
the seies, but I don't understand why this
patch should be necessary.
The value of i isn't controlled by the user, so it shouldn't need to be
sanitized?
The context was *just* missing, added by me:
for (i = 0; i < n; i++)
if (last < wdev->cqm_config->rssi_thresholds[i])
break;
This loop determines i, and the user doesn't even control "last", but
even if they did, the possible values of i could only end up being in
the range 0..n-1, so no problems?
The variable i could be n after the loop when this condition is not
satisfied for all rssi_thresholds[i].
>> if (last < wdev->cqm_config->rssi_thresholds[i])
>> break;
And user could control rssi_thresholds[i] by using
NL80211_ATTR_CQM_RSSI_THOLD.
For example, I could set 4 rssi_thresholds -400, -300, -200, -100.
And then last is -34. I could get i = n = 4 after the loop.
Regards,
Masashi Honma.
