On Thu, 2018-09-27 at 07:26 +0900, Masashi Honma wrote: > On 2018/09/26 18:23, Johannes Berg wrote:> I applied the first patch in > the seies, but I don't understand why this > > patch should be necessary. > > > > The value of i isn't controlled by the user, so it shouldn't need to be > > sanitized? > > > > The context was *just* missing, added by me: > > > > for (i = 0; i < n; i++) > > > if (last < wdev->cqm_config->rssi_thresholds[i]) > > > break; > > > > This loop determines i, and the user doesn't even control "last", but > > even if they did, the possible values of i could only end up being in > > the range 0..n-1, so no problems? > > The variable i could be n after the loop when this condition is not > satisfied for all rssi_thresholds[i]. > > >> if (last < wdev->cqm_config->rssi_thresholds[i]) > >> break; > > And user could control rssi_thresholds[i] by using > NL80211_ATTR_CQM_RSSI_THOLD. > > For example, I could set 4 rssi_thresholds -400, -300, -200, -100. > And then last is -34. I could get i = n = 4 after the loop. Yes, good point, thanks for the explanation. I'll merge this then. johannes
