diff options
author | Ricardo Mestre <mestre@cvs.openbsd.org> | 2017-08-22 08:49:24 +0000 |
---|---|---|
committer | Ricardo Mestre <mestre@cvs.openbsd.org> | 2017-08-22 08:49:24 +0000 |
commit | 32f8ef0546679eb1ef721c6232ab0e259d9e71ce (patch) | |
tree | daa37030e0ae411b9c6c0a429b3232971d1723b8 /sys/dev/ic | |
parent | 2bb046a478381ccfbd75da7576bf1e84496cfb2e (diff) |
Fix off by one overwrite. Covery CID 1452938.
ee->ee_ctls evaluates to either 16 or 32 depending on the card's EEPROM version
and with the current loop condition it will write out of bounds in the second
ee->ee_ctls assignment once the condition is either i < 16 or i < 32.
OK stsp@ and tb@
Diffstat (limited to 'sys/dev/ic')
-rw-r--r-- | sys/dev/ic/ar5xxx.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/ic/ar5xxx.c b/sys/dev/ic/ar5xxx.c index b94eb6b3c86..28841c297ee 100644 --- a/sys/dev/ic/ar5xxx.c +++ b/sys/dev/ic/ar5xxx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ar5xxx.c,v 1.60 2017/08/11 20:44:25 mestre Exp $ */ +/* $OpenBSD: ar5xxx.c,v 1.61 2017/08/22 08:49:23 mestre Exp $ */ /* * Copyright (c) 2004, 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -892,7 +892,7 @@ ar5k_eeprom_init(struct ath_hal *hal) offset = AR5K_EEPROM_CTL(hal->ah_ee_version); ee->ee_ctls = AR5K_EEPROM_N_CTLS(hal->ah_ee_version); - for (i = 0; i < ee->ee_ctls; i++) { + for (i = 0; i < ee->ee_ctls - 1; i++) { AR5K_EEPROM_READ(offset++, val); ee->ee_ctl[i] = (val >> 8) & 0xff; ee->ee_ctl[i + 1] = val & 0xff; |