From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roel Kluin Subject: Re: [PATCH] fealnx: Write outside array bounds Date: Sat, 25 Jul 2009 19:41:12 +0200 Message-ID: <4A6B43B8.3070209@gmail.com> References: <4A699FC2.2080407@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "David S. Miller" , netdev , Andrew Morton To: =?ISO-8859-1?Q?Ilpo_J=E4rvinen?= Return-path: Received: from mail-ew0-f226.google.com ([209.85.219.226]:63043 "EHLO mail-ew0-f226.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751290AbZGYRik (ORCPT ); Sat, 25 Jul 2009 13:38:40 -0400 Received: by ewy26 with SMTP id 26so2371466ewy.37 for ; Sat, 25 Jul 2009 10:38:39 -0700 (PDT) In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: phy_idx is checked to be < 4, but np->phys[] is 2 elements long Signed-off-by: Roel Kluin --- >> Or should the number of elements be increased? >> - for (phy = 1; phy < 32 && phy_idx < 4; phy++) { >> + for (phy = 1; phy < 32 && phy_idx < 2; phy++) { > In either of the case, one should use ARRAY_SIZE(np->phys) instead of the > number. Ah, yes. diff --git a/drivers/net/fealnx.c b/drivers/net/fealnx.c index 48385c4..160655d 100644 --- a/drivers/net/fealnx.c +++ b/drivers/net/fealnx.c @@ -584,7 +584,8 @@ static int __devinit fealnx_init_one(struct pci_dev *pdev, if (np->flags == HAS_MII_XCVR) { int phy, phy_idx = 0; - for (phy = 1; phy < 32 && phy_idx < 4; phy++) { + for (phy = 1; phy < 32 && phy_idx < ARRAY_SIZE(np->phys); + phy++) { int mii_status = mdio_read(dev, phy, 1); if (mii_status != 0xffff && mii_status != 0x0000) {