summaryrefslogtreecommitdiff
path: root/sys/dev/ic
diff options
context:
space:
mode:
authorRicardo Mestre <mestre@cvs.openbsd.org>2017-08-22 08:49:24 +0000
committerRicardo Mestre <mestre@cvs.openbsd.org>2017-08-22 08:49:24 +0000
commit32f8ef0546679eb1ef721c6232ab0e259d9e71ce (patch)
treedaa37030e0ae411b9c6c0a429b3232971d1723b8 /sys/dev/ic
parent2bb046a478381ccfbd75da7576bf1e84496cfb2e (diff)
Fix off by one overwrite. Covery CID 1452938.
ee->ee_ctls evaluates to either 16 or 32 depending on the card's EEPROM version and with the current loop condition it will write out of bounds in the second ee->ee_ctls assignment once the condition is either i < 16 or i < 32. OK stsp@ and tb@
Diffstat (limited to 'sys/dev/ic')
-rw-r--r--sys/dev/ic/ar5xxx.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/ic/ar5xxx.c b/sys/dev/ic/ar5xxx.c
index b94eb6b3c86..28841c297ee 100644
--- a/sys/dev/ic/ar5xxx.c
+++ b/sys/dev/ic/ar5xxx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ar5xxx.c,v 1.60 2017/08/11 20:44:25 mestre Exp $ */
+/* $OpenBSD: ar5xxx.c,v 1.61 2017/08/22 08:49:23 mestre Exp $ */
/*
* Copyright (c) 2004, 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org>
@@ -892,7 +892,7 @@ ar5k_eeprom_init(struct ath_hal *hal)
offset = AR5K_EEPROM_CTL(hal->ah_ee_version);
ee->ee_ctls = AR5K_EEPROM_N_CTLS(hal->ah_ee_version);
- for (i = 0; i < ee->ee_ctls; i++) {
+ for (i = 0; i < ee->ee_ctls - 1; i++) {
AR5K_EEPROM_READ(offset++, val);
ee->ee_ctl[i] = (val >> 8) & 0xff;
ee->ee_ctl[i + 1] = val & 0xff;