Date: Sun, 10 Jul 2016 00:08:41 +0000 (UTC) From: "Landon J. Fuller" <landonf@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r302509 - head/sys/dev/bhnd/nvram Message-ID: <201607100008.u6A08fWA069171@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: landonf Date: Sun Jul 10 00:08:40 2016 New Revision: 302509 URL: https://svnweb.freebsd.org/changeset/base/302509 Log: Fix heap overflow in bhnd(4) SPROM parsing. The bus_region_* APIs accept the number of data items to be read, while the code was passing the total number of bytes, resulting in an overflow of the SPROM parser's buffer. Approved by: adrian (mentor) Differential Revision: https://reviews.freebsd.org/D7168 Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c ============================================================================== --- head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sat Jul 9 23:22:44 2016 (r302508) +++ head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sun Jul 10 00:08:40 2016 (r302509) @@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc, p = (uint16_t *)buf; res_offset = sc->sp_res_off + offset; - bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes); + bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, + (nbytes / sizeof(uint16_t))); *crc = bhnd_nvram_crc8(p, nbytes, *crc); return (0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607100008.u6A08fWA069171>