Date: Thu, 16 Jan 2020 15:03:32 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 243393] [ath] Array can be accessed out of bounds Message-ID: <bug-243393-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243393 Bug ID: 243393 Summary: [ath] Array can be accessed out of bounds Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ghuckriede@blackberry.com Overview: Through code inspection it was discovered that some 'for' loops in the ath module can cause an array to go out of bounds. See the following files for reference: https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.c?annotate=326695 https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.h?annotate=326695 Similar issue with the following 2 files: https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.c?annotate=326695 https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.h?annotate=326695 Details: In the 'for' loop at ah_eeprom_v4k.c:243, ctlEdges is accesses with index 'j' in the second dimension at ah_eeprom_v4k.c:253 and ah_eeprom_v4k.c:254. 'j' is looped up to 8 times (NUM_EDGES is defined as 8 at ah_eeprom_v4k.h:178) but ctlEdges is declared with 4 indices in the second dimension (ctrEdges declared at ah_eeprom_v4k.h:153 with AR5416_4K_NUM_BAND_EDGES which is defined as 4 at ah_eeprom_v4k.h:50). Perhaps the 'for' loop should only iterate AR5416_4K_NUM_BAND_EDGES times? Or not use 'j' for the ctlEdges index? Steps to Reproduce: n.a. (code inspection) Actual Results: n.a. (code inspection) Expected Results: n.a. (code inspection) Build Date & Hardware: svn r326695 -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-243393-227>