From fe3e4523996e3d2aa19eb57b5de30467411e6005 Mon Sep 17 00:00:00 2001 From: Hans Petter Selasky Date: Sun, 14 Feb 2016 07:16:36 +0000 Subject: [PATCH] Reduce the number of supported WLAN keys in the rum driver, else we risk bit shifting overflows. Found by D5245 / PVS. MFC after: 1 week --- sys/dev/usb/wlan/if_rum.c | 6 +++--- sys/dev/usb/wlan/if_rumreg.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sys/dev/usb/wlan/if_rum.c b/sys/dev/usb/wlan/if_rum.c index 3fada69ec18..e428a8f500d 100644 --- a/sys/dev/usb/wlan/if_rum.c +++ b/sys/dev/usb/wlan/if_rum.c @@ -2732,7 +2732,7 @@ rum_pair_key_del_cb(struct rum_softc *sc, union sec_param *data, DPRINTF("%s: removing key %d\n", __func__, k->wk_keyix); rum_clrbits(sc, (k->wk_keyix < 32) ? RT2573_SEC_CSR2 : RT2573_SEC_CSR3, 1 << (k->wk_keyix % 32)); - sc->keys_bmap &= ~(1 << k->wk_keyix); + sc->keys_bmap &= ~(1ULL << k->wk_keyix); if (--sc->vap_key_count[rvp_id] == 0) rum_clrbits(sc, RT2573_SEC_CSR4, 1 << rvp_id); } @@ -2749,8 +2749,8 @@ rum_key_alloc(struct ieee80211vap *vap, struct ieee80211_key *k, if (!(k->wk_flags & IEEE80211_KEY_SWCRYPT)) { RUM_LOCK(sc); for (i = 0; i < RT2573_ADDR_MAX; i++) { - if ((sc->keys_bmap & (1 << i)) == 0) { - sc->keys_bmap |= 1 << i; + if ((sc->keys_bmap & (1ULL << i)) == 0) { + sc->keys_bmap |= (1ULL << i); *keyix = i; break; } diff --git a/sys/dev/usb/wlan/if_rumreg.h b/sys/dev/usb/wlan/if_rumreg.h index c673fd7975e..f1f1195798b 100644 --- a/sys/dev/usb/wlan/if_rumreg.h +++ b/sys/dev/usb/wlan/if_rumreg.h @@ -47,7 +47,7 @@ * H/w encryption/decryption support */ #define KEY_SIZE (IEEE80211_KEYBUF_SIZE + IEEE80211_MICBUF_SIZE) -#define RT2573_ADDR_MAX 64 +#define RT2573_ADDR_MAX (32 / RT2573_SKEY_MAX) #define RT2573_SKEY_MAX 4 #define RT2573_SKEY(vap, kidx) (0x1000 + ((vap) * RT2573_SKEY_MAX + \ -- 2.45.2