[PATCH][next] nl80211/cfg80211: fix potential infinite loop

[PATCH][next] nl80211/cfg80211: fix potential infinite loop

[Colin King]

From: Colin Ian King <colin.king@canonical.com>

The for-loop iterates with a u8 loop counter and compares this
with the loop upper limit of request->n_ssids which is an int type.
There is a potential infinite loop if n_ssids is larger than the
u8 loop counter, so fix this by making the loop counter an int.

Addresses-Coverity: ("Infinite loop")
Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/wireless/scan.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 8d0e49c46db3..3409f37d838b 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -694,7 +694,7 @@ static  void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request,
 static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap,
 				     struct cfg80211_scan_request *request)
 {
-	u8 i;
+	int i;
 	u32 s_ssid;
 
 	for (i = 0; i < request->n_ssids; i++) {
-- 
2.27.0

Re: [PATCH][next] nl80211/cfg80211: fix potential infinite loop

[Johannes Berg]

On Thu, 2020-10-29 at 22:24 +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> The for-loop iterates with a u8 loop counter and compares this
> with the loop upper limit of request->n_ssids which is an int type.
> There is a potential infinite loop if n_ssids is larger than the
> u8 loop counter, so fix this by making the loop counter an int.

Makes sense, thanks. I'll apply it to next.

For the record, it shouldn't be possible for request->n_ssids to be
larger than what the driver limit was, and that's 20 by default and
doesn't make sense to be really much higher than that, so in practice
this won't happen.

johannes