lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Oct 2007 19:50:24 +0200 From: Adrian Bunk <bunk@...nel.org> To: "David S. Miller" <davem@...set.davemloft.net> Cc: jgarzik@...ox.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: drivers/net/niu.c: possible array overflows The Coverity checker spotted the following in drivers/net/niu.c: <-- snip --> ... static int __devinit niu_pci_probe_sprom(struct niu *np) { ... val = nr64(ESPC_MOD_STR_LEN); niudbg(PROBE, "SPROM: MOD_STR_LEN[%llu]\n", (unsigned long long) val); if (val > 8 * 4) return -EINVAL; for (i = 0; i < val; i += 4) { u64 tmp = nr64(ESPC_NCR(5 + (i / 4))); np->vpd.model[i + 3] = (tmp >> 0) & 0xff; np->vpd.model[i + 2] = (tmp >> 8) & 0xff; np->vpd.model[i + 1] = (tmp >> 16) & 0xff; np->vpd.model[i + 0] = (tmp >> 24) & 0xff; } np->vpd.model[val] = '\0'; val = nr64(ESPC_BD_MOD_STR_LEN); niudbg(PROBE, "SPROM: BD_MOD_STR_LEN[%llu]\n", (unsigned long long) val); if (val > 4 * 4) return -EINVAL; for (i = 0; i < val; i += 4) { u64 tmp = nr64(ESPC_NCR(14 + (i / 4))); np->vpd.board_model[i + 3] = (tmp >> 0) & 0xff; np->vpd.board_model[i + 2] = (tmp >> 8) & 0xff; np->vpd.board_model[i + 1] = (tmp >> 16) & 0xff; np->vpd.board_model[i + 0] = (tmp >> 24) & 0xff; } np->vpd.board_model[val] = '\0'; ... <-- snip --> Check where the '\0's get written if "val" has the maximum non-EINVAL value. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists