svn commit: r330923 - stable/11/sys/dev/bhnd/nvram
Eitan Adler
eadler at FreeBSD.org
Wed Mar 14 08:45:20 UTC 2018
Author: eadler
Date: Wed Mar 14 08:45:19 2018
New Revision: 330923
URL: https://svnweb.freebsd.org/changeset/base/330923
Log:
MFC r302509:
Fix heap overflow in bhnd(4) SPROM parsing.
The bus_region_* APIs accept the number of data items to be read, while
the code was passing the total number of bytes, resulting in an overflow
of the SPROM parser's buffer.
Modified:
stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c
==============================================================================
--- stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Wed Mar 14 08:33:03 2018 (r330922)
+++ stable/11/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Wed Mar 14 08:45:19 2018 (r330923)
@@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc, size_t offset
p = (uint16_t *)buf;
res_offset = sc->sp_res_off + offset;
- bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes);
+ bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p,
+ (nbytes / sizeof(uint16_t)));
*crc = bhnd_nvram_crc8(p, nbytes, *crc);
return (0);
More information about the svn-src-stable-11
mailing list