tg3_read_partno(): possible array overrun

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* tg3_read_partno(): possible array overrun
@ 2006-11-06  9:45 Adrian Bunk
  2006-11-06 20:07 ` Michael Chan
  0 siblings, 1 reply; 3+ messages in thread
From: Adrian Bunk @ 2006-11-06  9:45 UTC (permalink / raw)
  To: jgarzik, davem; +Cc: netdev, linux-kernel

The Coverity checker noted the following in drivers/net/tg3.c:

<--  snip  -->

...
static void __devinit tg3_read_partno(struct tg3 *tp)
{
        unsigned char vpd_data[256];
        int i;
...
        /* Now parse and find the part number. */
        for (i = 0; i < 256; ) {
                unsigned char val = vpd_data[i];
                int block_end;

                if (val == 0x82 || val == 0x91) {
                        i = (i + 3 +
                             (vpd_data[i + 1] +
                              (vpd_data[i + 2] << 8)));
                        continue;
                }

                if (val != 0x90)
                        goto out_not_found;

                block_end = (i + 3 +
                             (vpd_data[i + 1] +
                              (vpd_data[i + 2] << 8)));
                i += 3;
...

<--  snip  -->

The problem is that vpd_data[i + 2] could be vpd_data[255 + 2].

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: tg3_read_partno(): possible array overrun
  2006-11-06  9:45 tg3_read_partno(): possible array overrun Adrian Bunk
@ 2006-11-06 20:07 ` Michael Chan
  2006-11-07 22:58   ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Michael Chan @ 2006-11-06 20:07 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: jgarzik, davem, netdev, linux-kernel

On Mon, 2006-11-06 at 10:45 +0100, Adrian Bunk wrote:
> The Coverity checker noted the following in drivers/net/tg3.c:
> 
> <--  snip  -->
> 
> The problem is that vpd_data[i + 2] could be vpd_data[255 + 2].

Thanks.  This should fix it:

[TG3]: Fix array overrun in tg3_read_partno().

Use proper upper limits for the loops and check for all error
conditions.

The problem was noticed by Adrian Bunk.

Signed-off-by: Michael Chan <mchan@broadcom.com> 

diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
index 8f059b7..06e4f77 100644
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -10212,7 +10212,7 @@ skip_phy_reset:
 static void __devinit tg3_read_partno(struct tg3 *tp)
 {
 	unsigned char vpd_data[256];
-	int i;
+	unsigned int i;
 	u32 magic;
 
 	if (tg3_nvram_read_swab(tp, 0x0, &magic))
@@ -10258,9 +10258,9 @@ static void __devinit tg3_read_partno(st
 	}
 
 	/* Now parse and find the part number. */
-	for (i = 0; i < 256; ) {
+	for (i = 0; i < 254; ) {
 		unsigned char val = vpd_data[i];
-		int block_end;
+		unsigned int block_end;
 
 		if (val == 0x82 || val == 0x91) {
 			i = (i + 3 +
@@ -10276,21 +10276,26 @@ static void __devinit tg3_read_partno(st
 			     (vpd_data[i + 1] +
 			      (vpd_data[i + 2] << 8)));
 		i += 3;
-		while (i < block_end) {
+
+		if (block_end > 256)
+			goto out_not_found;
+
+		while (i < (block_end - 2)) {
 			if (vpd_data[i + 0] == 'P' &&
 			    vpd_data[i + 1] == 'N') {
 				int partno_len = vpd_data[i + 2];
 
-				if (partno_len > 24)
+				i += 3;
+				if (partno_len > 24 || (partno_len + i) > 256)
 					goto out_not_found;
 
 				memcpy(tp->board_part_number,
-				       &vpd_data[i + 3],
-				       partno_len);
+				       &vpd_data[i], partno_len);
 
 				/* Success. */
 				return;
 			}
+			i += 3 + vpd_data[i + 2];
 		}
 
 		/* Part number not found. */




^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: tg3_read_partno(): possible array overrun
  2006-11-06 20:07 ` Michael Chan
@ 2006-11-07 22:58   ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2006-11-07 22:58 UTC (permalink / raw)
  To: mchan; +Cc: bunk, jgarzik, netdev, linux-kernel

From: "Michael Chan" <mchan@broadcom.com>
Date: Mon, 06 Nov 2006 12:07:31 -0800

> On Mon, 2006-11-06 at 10:45 +0100, Adrian Bunk wrote:
> > The Coverity checker noted the following in drivers/net/tg3.c:
> > 
> > <--  snip  -->
> > 
> > The problem is that vpd_data[i + 2] could be vpd_data[255 + 2].
> 
> Thanks.  This should fix it:
> 
> [TG3]: Fix array overrun in tg3_read_partno().
> 
> Use proper upper limits for the loops and check for all error
> conditions.
> 
> The problem was noticed by Adrian Bunk.
> 
> Signed-off-by: Michael Chan <mchan@broadcom.com> 

Applied, thanks Michael.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-11-07 22:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-06  9:45 tg3_read_partno(): possible array overrun Adrian Bunk
2006-11-06 20:07 ` Michael Chan
2006-11-07 22:58   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).