[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87lh5bhpts.fsf@purkki.adurom.net>
Date: Mon, 21 Mar 2016 16:23:59 +0200
From: Kalle Valo <kvalo@...eaurora.org>
To: Arnd Bergmann <arnd@...db.de>
Cc: "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
QCA ath9k Development <ath9k-devel@....qualcomm.com>,
linux-wireless@...r.kernel.org, ath9k-devel@...ts.ath9k.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/5] ath9k: fix buffer overrun for ar9287
Arnd Bergmann <arnd@...db.de> writes:
> Code that was added back in 2.6.38 has an obvious overflow
> when accessing a static array, and at the time it was added
> only a code comment was put in front of it as a reminder
> to have it reviewed properly.
>
> This has not happened, but gcc-6 now points to the specific
> overflow:
>
> drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
> drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
> maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
> ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
>
> It turns out that the correct array length exists in the local
> 'intercepts' variable of this function, so we can just use that
> instead of hardcoding '4', so this patch changes all three
> instances to use that variable. The other two instances were
> already correct, but it's more consistent this way.
>
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
Dave already applies this so I can skip this.
--
Kalle Valo
Powered by blists - more mailing lists