svn commit: r295607 - head/sys/dev/usb/wlan

Sun Feb 14 16:11:13 UTC 2016

Sun, 14 Feb 2016 09:16:36 +0200 було написано Hans Petter Selasky  
<hselasky at freebsd.org>:

> Author: hselasky
> Date: Sun Feb 14 07:16:36 2016
> New Revision: 295607
> URL: https://svnweb.freebsd.org/changeset/base/295607
>
> Log:
>   Reduce the number of supported WLAN keys in the rum driver, else we
>   risk bit shifting overflows. Found by D5245 / PVS.
>  MFC after:	1 week

Hardware crypto support was never merged (so, there is nothing to MFC).

>
> Modified:
>   head/sys/dev/usb/wlan/if_rum.c
>   head/sys/dev/usb/wlan/if_rumreg.h
>
> Modified: head/sys/dev/usb/wlan/if_rum.c
> ==============================================================================
> --- head/sys/dev/usb/wlan/if_rum.c	Sun Feb 14 02:28:59 2016	(r295606)
> +++ head/sys/dev/usb/wlan/if_rum.c	Sun Feb 14 07:16:36 2016	(r295607)
> ...
> --- skipped ---
> ...
> Modified: head/sys/dev/usb/wlan/if_rumreg.h
> ==============================================================================
> --- head/sys/dev/usb/wlan/if_rumreg.h	Sun Feb 14 02:28:59 2016	(r295606)
> +++ head/sys/dev/usb/wlan/if_rumreg.h	Sun Feb 14 07:16:36 2016	(r295607)
> @@ -47,7 +47,7 @@
>   * H/w encryption/decryption support
>   */
>  #define KEY_SIZE		(IEEE80211_KEYBUF_SIZE + IEEE80211_MICBUF_SIZE)
> -#define RT2573_ADDR_MAX         64
> +#define RT2573_ADDR_MAX         (32 / RT2573_SKEY_MAX)
>  #define RT2573_SKEY_MAX		4
> #define RT2573_SKEY(vap, kidx)	(0x1000 + ((vap) * RT2573_SKEY_MAX + \
>

Reason of this change? (device table has 64 entries, not 8).
I have not seen any overflows, caused by it:

1)
	vap->iv_key_set = rum_key_set;
	vap->iv_key_delete = rum_key_delete;
	vap->iv_update_beacon = rum_update_beacon;
	vap->iv_max_aid = RT2573_ADDR_MAX; 					   // not the case

	usb_callout_init_mtx(&rvp->ratectl_ch, &sc->sc_mtx, 0);
	TASK_INIT(&rvp->ratectl_task, 0, rum_ratectl_task, rvp);

2)
	     k < &vap->iv_nw_keys[IEEE80211_WEP_NKID])) {
		if (!(k->wk_flags & IEEE80211_KEY_SWCRYPT)) {
			RUM_LOCK(sc);
			for (i = 0; i < RT2573_ADDR_MAX; i++) {      // can hold [0;63] without  
any overflows;
								     // keys_bmap is 64-bit, so there is no overflow too
				if ((sc->keys_bmap & (1ULL << i)) == 0) {
					sc->keys_bmap |= 1ULL << i;
					*keyix = i;

3)
				}
			}
			RUM_UNLOCK(sc);
			if (i == RT2573_ADDR_MAX) { 			   // like the first case
				device_printf(sc->sc_dev,
				    "%s: no free space in the key table\n",
				    __func__);