svn commit: r306001 - head/sys/dev/iwm
Imre Vadász
ivadasz at FreeBSD.org
Mon Sep 19 22:11:36 UTC 2016
Author: ivadasz
Date: Mon Sep 19 22:11:34 2016
New Revision: 306001
URL: https://svnweb.freebsd.org/changeset/base/306001
Log:
[iwm] Fix off-by-one check in iwm_read_firmware().
This fixes a potential buffer overrun in the firmware parsing code.
Reported by: Coverity
Approved by: adrian (mentor)
Differential Revision: https://reviews.freebsd.org/D7931
Modified:
head/sys/dev/iwm/if_iwm.c
Modified: head/sys/dev/iwm/if_iwm.c
==============================================================================
--- head/sys/dev/iwm/if_iwm.c Mon Sep 19 22:08:47 2016 (r306000)
+++ head/sys/dev/iwm/if_iwm.c Mon Sep 19 22:11:34 2016 (r306001)
@@ -739,7 +739,7 @@ iwm_read_firmware(struct iwm_softc *sc,
}
capa = (const struct iwm_ucode_capa *)tlv_data;
idx = le32toh(capa->api_index);
- if (idx > howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
+ if (idx >= howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
device_printf(sc->sc_dev,
"unsupported API index %d\n", idx);
goto parse_out;
More information about the svn-src-all
mailing list