Message ID | 20181220140550.18853-1-colin.king@canonical.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 72255c807156adeb167444c4206c9e5eece22287 |
Delegated to: | Kalle Valo |
Headers | show |
Series | ray_cs: fix array out-of-bounds access | expand |
Colin King <colin.king@canonical.com> wrote: > From: Colin Ian King <colin.king@canonical.com> > > Currently array element org[3] is being accessed, however the array is > only 3 elements in size, so this looks like an off-by-one out-of-bounds > error. Fix this by using org[2], which I believe was the original > intent. > > This issue has existed in the driver back in the pre-git days, so no > idea when it was introduced. > > Detected by CoverityScan, CID#711344 ("Out-of-bounds read") > Signed-off-by: Colin Ian King <colin.king@canonical.com> Patch applied to wireless-drivers-next.git, thanks. 72255c807156 ray_cs: fix array out-of-bounds access
diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c index 33ad87528d9a..8b2741c8edf2 100644 --- a/drivers/net/wireless/ray_cs.c +++ b/drivers/net/wireless/ray_cs.c @@ -959,7 +959,7 @@ static int translate_frame(ray_dev_t *local, struct tx_msg __iomem *ptx, if (proto == htons(ETH_P_AARP) || proto == htons(ETH_P_IPX)) { /* This is the selective translation table, only 2 entries */ writeb(0xf8, - &((struct snaphdr_t __iomem *)ptx->var)->org[3]); + &((struct snaphdr_t __iomem *)ptx->var)->org[2]); } /* Copy body of ethernet packet without ethernet header */ memcpy_toio((void __iomem *)&ptx->var +