Bug 212993 - A possible divide by zero in mwifiex_set_ibss_params
Summary: A possible divide by zero in mwifiex_set_ibss_params
Status: RESOLVED INVALID
Alias: None
Product: Networking
Classification: Unclassified
Component: Wireless (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: networking_wireless@kernel-bugs.osdl.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-08 11:01 UTC by YiyuanGUO
Modified: 2021-06-10 23:53 UTC (History)
4 users (show)

See Also:
Kernel Version: 5.12.2
Subsystem:
Regression: No
Bisected commit-id:


Attachments

Description YiyuanGUO 2021-05-08 11:01:34 UTC
In the file drivers/net/wireless/marvell/mwifiex/cfg80211.c, the function mwifiex_set_ibss_params has the following code (link to the code location: https://github.com/torvalds/linux/blob/dd860052c99b1e088352bdd4fb7aef46f8d2ef47/drivers/net/wireless/marvell/mwifiex/cfg80211.c#L2453):

static int mwifiex_set_ibss_params(struct mwifiex_private *priv,
				   struct cfg80211_ibss_params *params) {
  ...
  int index = 0;
  ...
  if (params->chandef.chan->band == NL80211_BAND_2GHZ) {
    if (!params->basic_rates) {
      ...
    } else {
      for (i = 0; i < mwifiex_band_2ghz.n_bitrates; i++) {
        if (mwifiex_rates[i].bitrate == 60) {
	  index = 1 << i;
	  break;
	}
      }

      if (params->basic_rates < index) {
        ...
      } else {
        ...
	if (params->basic_rates % index)
	...				
      }
    }
  }
}

If the variable index is never altered inside the for loop (i.e., no bitrare equals to 60), then it will remain 0 until evaluating params->basic_rates % index, leading to a divide by zero problem.
Comment 1 Brian Norris 2021-06-10 23:53:31 UTC
> If the variable index is never altered inside the for loop (i.e., no bitrare
> equals to 60)

Well, there's your kicker -- this loop uses a constant array (mwifiex_rates[]) which *does* have an entry with a bitrate of 60. So this divide by zero won't happen.

This isn't exactly the most beautiful code, but bugzilla probably isn't the place for code review.

Closing this as INVALID.

Note You need to log in before you can comment on or make changes to this bug.