Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jan 2020 15:03:32 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 243393] [ath] Array can be accessed out of bounds
Message-ID:  <bug-243393-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243393

            Bug ID: 243393
           Summary: [ath] Array can be accessed out of bounds
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ghuckriede@blackberry.com

Overview:

Through code inspection it was discovered that some 'for' loops in the ath
module can cause an array to go out of bounds.=20

See the following files for reference:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.c?an=
notate=3D326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.h?an=
notate=3D326695
Similar issue with the following 2 files:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.c?a=
nnotate=3D326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.h?a=
nnotate=3D326695

Details:
In the 'for' loop at ah_eeprom_v4k.c:243, ctlEdges is accesses with index '=
j'
in the second dimension at ah_eeprom_v4k.c:253 and ah_eeprom_v4k.c:254.  'j=
' is
looped up to 8 times (NUM_EDGES is defined as 8 at ah_eeprom_v4k.h:178) but
ctlEdges is declared with 4 indices in the second dimension (ctrEdges decla=
red
at ah_eeprom_v4k.h:153 with  AR5416_4K_NUM_BAND_EDGES which is defined as 4=
 at
ah_eeprom_v4k.h:50).

Perhaps the 'for' loop should only iterate AR5416_4K_NUM_BAND_EDGES times? =
Or
not use 'j' for the ctlEdges index?


Steps to Reproduce: n.a. (code inspection)

Actual Results: n.a. (code inspection)

Expected Results: n.a. (code inspection)

Build Date & Hardware:
svn r326695

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-243393-227>