svn commit: r351143 - in stable: 11/sys/dev/oce 11/sys/dev/ral 12/sys/dev/oce 12/sys/dev/ral
Kyle Evans
kevans at FreeBSD.org
Fri Aug 16 21:03:57 UTC 2019
Author: kevans
Date: Fri Aug 16 21:03:55 2019
New Revision: 351143
URL: https://svnweb.freebsd.org/changeset/base/351143
Log:
MFC r350630, r350657: static analysis fixes from Haiku
r350630:
oce(4): potential out of bounds access before vector validation
r350657:
ral: rt2860: fix wcid2ni access/size issue
RT2860_WCID_MAX is supposed to describe the max STA index for wcid2ni, and
was instead being used as the size -- off-by-one.
rt2860_drain_stats_fifo was range-checking wcid only after accessing
out-of-bounds potentially.
Modified:
stable/12/sys/dev/oce/oce_if.c
stable/12/sys/dev/ral/rt2860.c
stable/12/sys/dev/ral/rt2860var.h
Directory Properties:
stable/12/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/11/sys/dev/oce/oce_if.c
stable/11/sys/dev/ral/rt2860.c
stable/11/sys/dev/ral/rt2860var.h
Directory Properties:
stable/11/ (props changed)
Modified: stable/12/sys/dev/oce/oce_if.c
==============================================================================
--- stable/12/sys/dev/oce/oce_if.c Fri Aug 16 21:01:35 2019 (r351142)
+++ stable/12/sys/dev/oce/oce_if.c Fri Aug 16 21:03:55 2019 (r351143)
@@ -836,11 +836,13 @@ oce_fast_isr(void *arg)
static int
oce_alloc_intr(POCE_SOFTC sc, int vector, void (*isr) (void *arg, int pending))
{
- POCE_INTR_INFO ii = &sc->intrs[vector];
+ POCE_INTR_INFO ii;
int rc = 0, rr;
if (vector >= OCE_MAX_EQ)
return (EINVAL);
+
+ ii = &sc->intrs[vector];
/* Set the resource id for the interrupt.
* MSIx is vector + 1 for the resource id,
Modified: stable/12/sys/dev/ral/rt2860.c
==============================================================================
--- stable/12/sys/dev/ral/rt2860.c Fri Aug 16 21:01:35 2019 (r351142)
+++ stable/12/sys/dev/ral/rt2860.c Fri Aug 16 21:03:55 2019 (r351143)
@@ -1092,10 +1092,12 @@ rt2860_drain_stats_fifo(struct rt2860_softc *sc)
DPRINTFN(4, ("tx stat 0x%08x\n", stat));
wcid = (stat >> RT2860_TXQ_WCID_SHIFT) & 0xff;
+ if (wcid > RT2860_WCID_MAX)
+ continue;
ni = sc->wcid2ni[wcid];
/* if no ACK was requested, no feedback is available */
- if (!(stat & RT2860_TXQ_ACKREQ) || wcid == 0xff || ni == NULL)
+ if (!(stat & RT2860_TXQ_ACKREQ) || ni == NULL)
continue;
/* update per-STA AMRR stats */
Modified: stable/12/sys/dev/ral/rt2860var.h
==============================================================================
--- stable/12/sys/dev/ral/rt2860var.h Fri Aug 16 21:01:35 2019 (r351142)
+++ stable/12/sys/dev/ral/rt2860var.h Fri Aug 16 21:03:55 2019 (r351143)
@@ -142,7 +142,7 @@ struct rt2860_softc {
#define RT2860_PCIE (1 << 2)
#define RT2860_RUNNING (1 << 3)
- struct ieee80211_node *wcid2ni[RT2860_WCID_MAX];
+ struct ieee80211_node *wcid2ni[RT2860_WCID_MAX + 1];
struct rt2860_tx_ring txq[6];
struct rt2860_rx_ring rxq;
More information about the svn-src-stable
mailing list