From: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, jeff@garzik.org,
Bruce Allan <bruce.w.allan@intel.com>,
Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Subject: [NET-NEXT PATCH 09/14] e1000e: fix possible buffer overflow
Date: Fri, 21 Nov 2008 11:01:28 -0800 [thread overview]
Message-ID: <20081121190128.32313.90707.stgit@gitlost.lost> (raw)
In-Reply-To: <20081121185859.32313.42332.stgit@gitlost.lost>
From: Bruce Allan <bruce.w.allan@intel.com>
Put in missing bounds checking of an array.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
---
drivers/net/e1000e/es2lan.c | 5 +++++
drivers/net/e1000e/phy.c | 5 +++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/drivers/net/e1000e/es2lan.c b/drivers/net/e1000e/es2lan.c
index db51114..b5250fd 100644
--- a/drivers/net/e1000e/es2lan.c
+++ b/drivers/net/e1000e/es2lan.c
@@ -104,6 +104,8 @@
*/
static const u16 e1000_gg82563_cable_length_table[] =
{ 0, 60, 115, 150, 150, 60, 115, 150, 180, 180, 0xFF };
+#define GG82563_CABLE_LENGTH_TABLE_SIZE \
+ ARRAY_SIZE(e1000_gg82563_cable_length_table)
static s32 e1000_setup_copper_link_80003es2lan(struct e1000_hw *hw);
static s32 e1000_acquire_swfw_sync_80003es2lan(struct e1000_hw *hw, u16 mask);
@@ -721,6 +723,9 @@ static s32 e1000_get_cable_length_80003es2lan(struct e1000_hw *hw)
return ret_val;
index = phy_data & GG82563_DSPD_CABLE_LENGTH;
+ if (index >= GG82563_CABLE_LENGTH_TABLE_SIZE + 5)
+ return E1000_ERR_PHY;
+
phy->min_cable_length = e1000_gg82563_cable_length_table[index];
phy->max_cable_length = e1000_gg82563_cable_length_table[index+5];
diff --git a/drivers/net/e1000e/phy.c b/drivers/net/e1000e/phy.c
index cb7d71e..d3aa6b7 100644
--- a/drivers/net/e1000e/phy.c
+++ b/drivers/net/e1000e/phy.c
@@ -41,6 +41,8 @@ static s32 e1000_access_phy_wakeup_reg_bm(struct e1000_hw *hw, u32 offset,
/* Cable length tables */
static const u16 e1000_m88_cable_length_table[] =
{ 0, 50, 80, 110, 140, 140, E1000_CABLE_LENGTH_UNDEFINED };
+#define M88E1000_CABLE_LENGTH_TABLE_SIZE \
+ ARRAY_SIZE(e1000_m88_cable_length_table)
static const u16 e1000_igp_2_cable_length_table[] =
{ 0, 0, 0, 0, 0, 0, 0, 0, 3, 5, 8, 11, 13, 16, 18, 21, 0, 0, 0, 3,
@@ -1442,6 +1444,9 @@ s32 e1000e_get_cable_length_m88(struct e1000_hw *hw)
index = (phy_data & M88E1000_PSSR_CABLE_LENGTH) >>
M88E1000_PSSR_CABLE_LENGTH_SHIFT;
+ if (index >= M88E1000_CABLE_LENGTH_TABLE_SIZE + 1)
+ return E1000_ERR_PHY;
+
phy->min_cable_length = e1000_m88_cable_length_table[index];
phy->max_cable_length = e1000_m88_cable_length_table[index+1];
next prev parent reply other threads:[~2008-11-21 19:01 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-21 18:59 [NET-NEXT PATCH 01/14] e1000e: disable correctable errors for quad ports while going to D3 Jeff Kirsher
2008-11-21 18:59 ` [NET-NEXT PATCH 02/14] e1000e: commit speed/duplex changes for m88 PHY Jeff Kirsher
2008-11-22 0:50 ` David Miller
2008-11-21 18:59 ` [NET-NEXT PATCH 03/14] e1000e: 82571 check for link fix on 82571 serdes Jeff Kirsher
2008-11-22 0:50 ` David Miller
2008-11-21 18:59 ` [NET-NEXT PATCH 04/14] e1000e: update comments listing supported parts for each MAC family Jeff Kirsher
2008-11-22 0:51 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 05/14] e1000e: check return of pci_save_state Jeff Kirsher
2008-11-22 0:51 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 06/14] e1000e: remove unnecessary header file inclusions Jeff Kirsher
2008-11-22 0:53 ` David Miller
2008-11-21 19:00 ` [NET-NEXT PATCH 07/14] e1000e: ESB2 config after link up Jeff Kirsher
2008-11-22 0:53 ` David Miller
2008-11-21 19:01 ` [NET-NEXT PATCH 08/14] e1000e: link up/down messages must follow a specific format Jeff Kirsher
2008-11-21 19:04 ` Dan Williams
2008-11-21 19:23 ` Jeff Kirsher
2008-11-21 20:16 ` Stephen Hemminger
2008-11-21 21:19 ` Jeff Kirsher
2008-11-22 0:55 ` David Miller
2008-11-21 19:01 ` Jeff Kirsher [this message]
2008-11-22 0:57 ` [NET-NEXT PATCH 09/14] e1000e: fix possible buffer overflow David Miller
2008-11-21 19:01 ` [NET-NEXT PATCH 10/14] e1000e: sync change flow control variables with ixgbe Jeff Kirsher
2008-11-22 0:57 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 11/14] e1000e: cosmetic newline in debug message Jeff Kirsher
2008-11-22 1:00 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 12/14] e1000e: store EEPROM version number to prevent unnecessary NVM reads Jeff Kirsher
2008-11-22 1:00 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 13/14] e1000e: fix incorrect link status when switch module pulled Jeff Kirsher
2008-11-22 1:01 ` David Miller
2008-11-21 19:02 ` [NET-NEXT PATCH 14/14] e1000e: check return code from NVM accesses and fix bank detection Jeff Kirsher
2008-11-22 1:02 ` David Miller
2008-11-22 0:49 ` [NET-NEXT PATCH 01/14] e1000e: disable correctable errors for quad ports while going to D3 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081121190128.32313.90707.stgit@gitlost.lost \
--to=jeffrey.t.kirsher@intel.com \
--cc=bruce.w.allan@intel.com \
--cc=davem@davemloft.net \
--cc=jeff@garzik.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).