From owner-freebsd-bugs Wed Sep 26 23: 0: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E0D5F37B41A for ; Wed, 26 Sep 2001 23:00:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f8R602K26490; Wed, 26 Sep 2001 23:00:02 -0700 (PDT) (envelope-from gnats) Date: Wed, 26 Sep 2001 23:00:02 -0700 (PDT) Message-Id: <200109270600.f8R602K26490@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Bruce Evans Subject: Re: misc/30857: intr_machdep.c allows access out of array bound Reply-To: Bruce Evans Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR misc/30857; it has been noted by GNATS. From: Bruce Evans To: David Xu Cc: Subject: Re: misc/30857: intr_machdep.c allows access out of array bound Date: Thu, 27 Sep 2001 15:55:24 +1000 (EST) On Wed, 26 Sep 2001, David Xu wrote: > >Description: > in source file /sys/i386/isa/intr_machdep.c, function icu_setup > does not detect array bound correctly, allow access out of bound data. > >How-To-Repeat: > > >Fix: > patch is here: > --- intr_machdep.c.orig Thu Sep 27 09:03:29 2001 > +++ intr_machdep.c Thu Sep 27 09:04:11 2001 > @@ -433,6 +433,7 @@ > #else > if ((u_int)intr >= ICU_LEN || intr == ICU_SLAVEID) > #endif /* APIC_IO */ > + return (EINVAL); These bytes rotted away when register_intr() was mutated to icu_setup() in rev.1.85 if sys/i386/isa/isa.c. > if (intr_handler[intr] != isa_strayintr) > return (EBUSY); Bruce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message