Date: Mon, 19 Sep 2016 22:11:34 +0000 (UTC) From: =?UTF-8?Q?Imre_Vad=c3=a1sz?= <ivadasz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r306001 - head/sys/dev/iwm Message-ID: <201609192211.u8JMBY4K071119@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ivadasz Date: Mon Sep 19 22:11:34 2016 New Revision: 306001 URL: https://svnweb.freebsd.org/changeset/base/306001 Log: [iwm] Fix off-by-one check in iwm_read_firmware(). This fixes a potential buffer overrun in the firmware parsing code. Reported by: Coverity Approved by: adrian (mentor) Differential Revision: https://reviews.freebsd.org/D7931 Modified: head/sys/dev/iwm/if_iwm.c Modified: head/sys/dev/iwm/if_iwm.c ============================================================================== --- head/sys/dev/iwm/if_iwm.c Mon Sep 19 22:08:47 2016 (r306000) +++ head/sys/dev/iwm/if_iwm.c Mon Sep 19 22:11:34 2016 (r306001) @@ -739,7 +739,7 @@ iwm_read_firmware(struct iwm_softc *sc, } capa = (const struct iwm_ucode_capa *)tlv_data; idx = le32toh(capa->api_index); - if (idx > howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) { + if (idx >= howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) { device_printf(sc->sc_dev, "unsupported API index %d\n", idx); goto parse_out;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609192211.u8JMBY4K071119>