Date: Wed, 14 Mar 2018 08:45:19 +0000 (UTC) From: Eitan Adler <eadler@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r330923 - stable/11/sys/dev/bhnd/nvram Message-ID: <201803140845.w2E8jJgT003298@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: eadler Date: Wed Mar 14 08:45:19 2018 New Revision: 330923 URL: https://svnweb.freebsd.org/changeset/base/330923 Log: MFC r302509: Fix heap overflow in bhnd(4) SPROM parsing. The bus_region_* APIs accept the number of data items to be read, while the code was passing the total number of bytes, resulting in an overflow of the SPROM parser's buffer. Modified: stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c ============================================================================== --- stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Wed Mar 14 08:33:03 2018 (r330922) +++ stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Wed Mar 14 08:45:19 2018 (r330923) @@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc, size_t offset p = (uint16_t *)buf; res_offset = sc->sp_res_off + offset; - bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes); + bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, + (nbytes / sizeof(uint16_t))); *crc = bhnd_nvram_crc8(p, nbytes, *crc); return (0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803140845.w2E8jJgT003298>