Date: Fri, 16 Aug 2019 21:03:56 +0000 (UTC) From: Kyle Evans <kevans@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r351143 - in stable: 11/sys/dev/oce 11/sys/dev/ral 12/sys/dev/oce 12/sys/dev/ral Message-ID: <201908162103.x7GL3uEM035580@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kevans Date: Fri Aug 16 21:03:55 2019 New Revision: 351143 URL: https://svnweb.freebsd.org/changeset/base/351143 Log: MFC r350630, r350657: static analysis fixes from Haiku r350630: oce(4): potential out of bounds access before vector validation r350657: ral: rt2860: fix wcid2ni access/size issue RT2860_WCID_MAX is supposed to describe the max STA index for wcid2ni, and was instead being used as the size -- off-by-one. rt2860_drain_stats_fifo was range-checking wcid only after accessing out-of-bounds potentially. Modified: stable/11/sys/dev/oce/oce_if.c stable/11/sys/dev/ral/rt2860.c stable/11/sys/dev/ral/rt2860var.h Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Modified: stable/12/sys/dev/oce/oce_if.c stable/12/sys/dev/ral/rt2860.c stable/12/sys/dev/ral/rt2860var.h Directory Properties: stable/12/ (props changed) Modified: stable/11/sys/dev/oce/oce_if.c ============================================================================== --- stable/11/sys/dev/oce/oce_if.c Fri Aug 16 21:01:35 2019 (r351142) +++ stable/11/sys/dev/oce/oce_if.c Fri Aug 16 21:03:55 2019 (r351143) @@ -831,11 +831,13 @@ oce_fast_isr(void *arg) static int oce_alloc_intr(POCE_SOFTC sc, int vector, void (*isr) (void *arg, int pending)) { - POCE_INTR_INFO ii = &sc->intrs[vector]; + POCE_INTR_INFO ii; int rc = 0, rr; if (vector >= OCE_MAX_EQ) return (EINVAL); + + ii = &sc->intrs[vector]; /* Set the resource id for the interrupt. * MSIx is vector + 1 for the resource id, Modified: stable/11/sys/dev/ral/rt2860.c ============================================================================== --- stable/11/sys/dev/ral/rt2860.c Fri Aug 16 21:01:35 2019 (r351142) +++ stable/11/sys/dev/ral/rt2860.c Fri Aug 16 21:03:55 2019 (r351143) @@ -1091,10 +1091,12 @@ rt2860_drain_stats_fifo(struct rt2860_softc *sc) DPRINTFN(4, ("tx stat 0x%08x\n", stat)); wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff; + if (wcid > RT2860_WCID_MAX) + continue; ni = sc->wcid2ni[wcid]; /* if no ACK was requested, no feedback is available */ - if (!(stat & RT2860_TXQ_ACKREQ) || wcid == 0xff || ni == NULL) + if (!(stat & RT2860_TXQ_ACKREQ) || ni == NULL) continue; /* update per-STA AMRR stats */ Modified: stable/11/sys/dev/ral/rt2860var.h ============================================================================== --- stable/11/sys/dev/ral/rt2860var.h Fri Aug 16 21:01:35 2019 (r351142) +++ stable/11/sys/dev/ral/rt2860var.h Fri Aug 16 21:03:55 2019 (r351143) @@ -141,7 +141,7 @@ struct rt2860_softc { #define RT2860_PCIE (1 << 2) #define RT2860_RUNNING (1 << 3) - struct ieee80211_node *wcid2ni[RT2860_WCID_MAX]; + struct ieee80211_node *wcid2ni[RT2860_WCID_MAX + 1]; struct rt2860_tx_ring txq[6]; struct rt2860_rx_ring rxq;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908162103.x7GL3uEM035580>