diff options
| author |   mestre <mestre@openbsd.org> | 2017-08-22 08:49:23 +0000 |
|---|---|---|
| committer | mestre <mestre@openbsd.org> | 2017-08-22 08:49:23 +0000 |
| commit | 69aafab67f12840d249cbcaa5da0d31a42e7bd1c (patch) | |
| tree | a954e63ee7318174c253766ab1d768c5e18d7427 | |
| parent | sync (diff) | |
| download | wireguard-openbsd-69aafab67f12840d249cbcaa5da0d31a42e7bd1c.tar.xz wireguard-openbsd-69aafab67f12840d249cbcaa5da0d31a42e7bd1c.zip | |
Fix off by one overwrite. Covery CID 1452938.
ee->ee_ctls evaluates to either 16 or 32 depending on the card's EEPROM version
and with the current loop condition it will write out of bounds in the second
ee->ee_ctls assignment once the condition is either i < 16 or i < 32.
OK stsp@ and tb@
| -rw-r--r-- | sys/dev/ic/ar5xxx.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/dev/ic/ar5xxx.c b/sys/dev/ic/ar5xxx.c index b94eb6b3c86..28841c297ee 100644 --- a/sys/dev/ic/ar5xxx.c +++ b/sys/dev/ic/ar5xxx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ar5xxx.c,v 1.60 2017/08/11 20:44:25 mestre Exp $ */ +/* $OpenBSD: ar5xxx.c,v 1.61 2017/08/22 08:49:23 mestre Exp $ */ /* * Copyright (c) 2004, 2005, 2006, 2007 Reyk Floeter <reyk@openbsd.org> @@ -892,7 +892,7 @@ ar5k_eeprom_init(struct ath_hal *hal) offset = AR5K_EEPROM_CTL(hal->ah_ee_version); ee->ee_ctls = AR5K_EEPROM_N_CTLS(hal->ah_ee_version); - for (i = 0; i < ee->ee_ctls; i++) { + for (i = 0; i < ee->ee_ctls - 1; i++) { AR5K_EEPROM_READ(offset++, val); ee->ee_ctl[i] = (val >> 8) & 0xff; ee->ee_ctl[i + 1] = val & 0xff; |