* drivers/net/niu.c: possible array overflows
@ 2007-10-14 17:50 Adrian Bunk
2007-10-15 8:36 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Adrian Bunk @ 2007-10-14 17:50 UTC (permalink / raw)
To: David S. Miller; +Cc: jgarzik, netdev, linux-kernel
The Coverity checker spotted the following in drivers/net/niu.c:
<-- snip -->
...
static int __devinit niu_pci_probe_sprom(struct niu *np)
{
...
val = nr64(ESPC_MOD_STR_LEN);
niudbg(PROBE, "SPROM: MOD_STR_LEN[%llu]\n",
(unsigned long long) val);
if (val > 8 * 4)
return -EINVAL;
for (i = 0; i < val; i += 4) {
u64 tmp = nr64(ESPC_NCR(5 + (i / 4)));
np->vpd.model[i + 3] = (tmp >> 0) & 0xff;
np->vpd.model[i + 2] = (tmp >> 8) & 0xff;
np->vpd.model[i + 1] = (tmp >> 16) & 0xff;
np->vpd.model[i + 0] = (tmp >> 24) & 0xff;
}
np->vpd.model[val] = '\0';
val = nr64(ESPC_BD_MOD_STR_LEN);
niudbg(PROBE, "SPROM: BD_MOD_STR_LEN[%llu]\n",
(unsigned long long) val);
if (val > 4 * 4)
return -EINVAL;
for (i = 0; i < val; i += 4) {
u64 tmp = nr64(ESPC_NCR(14 + (i / 4)));
np->vpd.board_model[i + 3] = (tmp >> 0) & 0xff;
np->vpd.board_model[i + 2] = (tmp >> 8) & 0xff;
np->vpd.board_model[i + 1] = (tmp >> 16) & 0xff;
np->vpd.board_model[i + 0] = (tmp >> 24) & 0xff;
}
np->vpd.board_model[val] = '\0';
...
<-- snip -->
Check where the '\0's get written if "val" has the maximum non-EINVAL
value.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: drivers/net/niu.c: possible array overflows
2007-10-14 17:50 drivers/net/niu.c: possible array overflows Adrian Bunk
@ 2007-10-15 8:36 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2007-10-15 8:36 UTC (permalink / raw)
To: bunk; +Cc: davem, jgarzik, netdev, linux-kernel
From: Adrian Bunk <bunk@kernel.org>
Date: Sun, 14 Oct 2007 19:50:24 +0200
> The Coverity checker spotted the following in drivers/net/niu.c:
Thanks for the report Adrian, I'll fix it like this:
commit 503211a947ab13fb44d920f78f1e19057efc277f
Author: David S. Miller <davem@sunset.davemloft.net>
Date: Mon Oct 15 01:36:24 2007 -0700
[NIU]: Fix write past end of array in niu_pci_probe_sprom().
Noticed by Coverity checker and reported by Adrian Bunk.
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/drivers/net/niu.c b/drivers/net/niu.c
index 43bfe7e..54166bd 100644
--- a/drivers/net/niu.c
+++ b/drivers/net/niu.c
@@ -6213,7 +6213,7 @@ static int __devinit niu_pci_probe_sprom(struct niu *np)
val = nr64(ESPC_MOD_STR_LEN);
niudbg(PROBE, "SPROM: MOD_STR_LEN[%llu]\n",
(unsigned long long) val);
- if (val > 8 * 4)
+ if (val >= 8 * 4)
return -EINVAL;
for (i = 0; i < val; i += 4) {
@@ -6229,7 +6229,7 @@ static int __devinit niu_pci_probe_sprom(struct niu *np)
val = nr64(ESPC_BD_MOD_STR_LEN);
niudbg(PROBE, "SPROM: BD_MOD_STR_LEN[%llu]\n",
(unsigned long long) val);
- if (val > 4 * 4)
+ if (val >= 4 * 4)
return -EINVAL;
for (i = 0; i < val; i += 4) {
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-10-15 8:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-14 17:50 drivers/net/niu.c: possible array overflows Adrian Bunk
2007-10-15 8:36 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).