From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, jeff@garzik.org,
Bruce Allan <bruce.w.allan@intel.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Subject: [NET-NEXT PATCH 09/14] e1000e: fix possible buffer overflow
Date: Fri, 21 Nov 2008 11:01:28 -0800 [thread overview]
Message-ID: <20081121190128.32313.90707.stgit@gitlost.lost> (raw)
In-Reply-To: <20081121185859.32313.42332.stgit@gitlost.lost>
From: Bruce Allan <bruce.w.allan@intel.com>
Put in missing bounds checking of an array.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
drivers/net/e1000e/es2lan.c | 5 +++++
drivers/net/e1000e/phy.c | 5 +++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/net/e1000e/es2lan.c b/drivers/net/e1000e/es2lan.c
index db51114..b5250fd 100644
--- a/drivers/net/e1000e/es2lan.c
+++ b/drivers/net/e1000e/es2lan.c
@@ -104,6 +104,8 @@
*/
static const u16 e1000_gg82563_cable_length_table[] =
{ 0, 60, 115, 150, 150, 60, 115, 150, 180, 180, 0xFF };
+#define GG82563_CABLE_LENGTH_TABLE_SIZE \
+ ARRAY_SIZE(e1000_gg82563_cable_length_table)
static s32 e1000_setup_copper_link_80003es2lan(struct e1000_hw *hw);
static s32 e1000_acquire_swfw_sync_80003es2lan(struct e1000_hw *hw, u16 mask);
@@ -721,6 +723,9 @@ static s32 e1000_get_cable_length_80003es2lan(struct e1000_hw *hw)
return ret_val;
index = phy_data & GG82563_DSPD_CABLE_LENGTH;
+ if (index >= GG82563_CABLE_LENGTH_TABLE_SIZE + 5)
+ return E1000_ERR_PHY;
+
phy->min_cable_length = e1000_gg82563_cable_length_table[index];
phy->max_cable_length = e1000_gg82563_cable_length_table[index+5];
diff --git a/drivers/net/e1000e/phy.c b/drivers/net/e1000e/phy.c
index cb7d71e..d3aa6b7 100644
--- a/drivers/net/e1000e/phy.c
+++ b/drivers/net/e1000e/phy.c
@@ -41,6 +41,8 @@ static s32 e1000_access_phy_wakeup_reg_bm(struct e1000_hw *hw, u32 offset,
/* Cable length tables */
static const u16 e1000_m88_cable_length_table[] =
{ 0, 50, 80, 110, 140, 140, E1000_CABLE_LENGTH_UNDEFINED };
+#define M88E1000_CABLE_LENGTH_TABLE_SIZE \
+ ARRAY_SIZE(e1000_m88_cable_length_table)
static const u16 e1000_igp_2_cable_length_table[] =
{ 0, 0, 0, 0, 0, 0, 0, 0, 3, 5, 8, 11, 13, 16, 18, 21, 0, 0, 0, 3,
@@ -1442,6 +1444,9 @@ s32 e1000e_get_cable_length_m88(struct e1000_hw *hw)
index = (phy_data & M88E1000_PSSR_CABLE_LENGTH) >>
M88E1000_PSSR_CABLE_LENGTH_SHIFT;
+ if (index >= M88E1000_CABLE_LENGTH_TABLE_SIZE + 1)
+ return E1000_ERR_PHY;
+
phy->min_cable_length = e1000_m88_cable_length_table[index];
phy->max_cable_length = e1000_m88_cable_length_table[index+1];
next prev parent reply other threads:[~2008-11-21 19:01 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-21 18:59 [NET-NEXT PATCH 01/14] e1000e: disable correctable errors for quad ports while going to D3 Jeff Kirsher
2008-11-21 18:59 ` [NET-NEXT PATCH 02/14] e1000e: commit speed/duplex changes for m88 PHY Jeff Kirsher
2008-11-22 0:50 ` David Miller
2008-11-21 18:59 ` [NET-NEXT PATCH 03/14] e1000e: 82571 check for link fix on 82571 serdes Jeff Kirsher
2008-11-22 0:50 ` David Miller
2008-11-21 18:59 ` [NET-NEXT PATCH 04/14] e1000e: update comments listing supported parts for each MAC family Jeff Kirsher
2008-11-22 0:51 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 05/14] e1000e: check return of pci_save_state Jeff Kirsher
2008-11-22 0:51 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 06/14] e1000e: remove unnecessary header file inclusions Jeff Kirsher
2008-11-22 0:53 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 07/14] e1000e: ESB2 config after link up Jeff Kirsher
2008-11-22 0:53 ` David Miller
2008-11-21 19:01 ` [NET-NEXT PATCH 08/14] e1000e: link up/down messages must follow a specific format Jeff Kirsher
2008-11-21 19:04 ` Dan Williams
2008-11-21 19:23 ` Jeff Kirsher
2008-11-21 20:16 ` Stephen Hemminger
2008-11-21 21:19 ` Jeff Kirsher
2008-11-22 0:55 ` David Miller
2008-11-21 19:01 ` Jeff Kirsher [this message]
2008-11-22 0:57 ` [NET-NEXT PATCH 09/14] e1000e: fix possible buffer overflow David Miller
2008-11-21 19:01 ` [NET-NEXT PATCH 10/14] e1000e: sync change flow control variables with ixgbe Jeff Kirsher
2008-11-22 0:57 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 11/14] e1000e: cosmetic newline in debug message Jeff Kirsher
2008-11-22 1:00 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 12/14] e1000e: store EEPROM version number to prevent unnecessary NVM reads Jeff Kirsher
2008-11-22 1:00 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 13/14] e1000e: fix incorrect link status when switch module pulled Jeff Kirsher
2008-11-22 1:01 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 14/14] e1000e: check return code from NVM accesses and fix bank detection Jeff Kirsher
2008-11-22 1:02 ` David Miller
2008-11-22 0:49 ` [NET-NEXT PATCH 01/14] e1000e: disable correctable errors for quad ports while going to D3 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081121190128.32313.90707.stgit@gitlost.lost \
--to=jeffrey.t.kirsher@intel.com \
--cc=bruce.w.allan@intel.com \
--cc=davem@davemloft.net \
--cc=jeff@garzik.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.