[Bug 243393] [ath] Array can be accessed out of bounds

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243393

            Bug ID: 243393
           Summary: [ath] Array can be accessed out of bounds
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: ghuckriede at blackberry.com

Overview:

Through code inspection it was discovered that some 'for' loops in the ath
module can cause an array to go out of bounds. 

See the following files for reference:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.h?annotate=326695
Similar issue with the following 2 files:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.h?annotate=326695

Details:
In the 'for' loop at ah_eeprom_v4k.c:243, ctlEdges is accesses with index 'j'
in the second dimension at ah_eeprom_v4k.c:253 and ah_eeprom_v4k.c:254.  'j' is
looped up to 8 times (NUM_EDGES is defined as 8 at ah_eeprom_v4k.h:178) but
ctlEdges is declared with 4 indices in the second dimension (ctrEdges declared
at ah_eeprom_v4k.h:153 with  AR5416_4K_NUM_BAND_EDGES which is defined as 4 at
ah_eeprom_v4k.h:50).

Perhaps the 'for' loop should only iterate AR5416_4K_NUM_BAND_EDGES times? Or
not use 'j' for the ctlEdges index?


Steps to Reproduce: n.a. (code inspection)

Actual Results: n.a. (code inspection)

Expected Results: n.a. (code inspection)

Build Date & Hardware:
svn r326695

-- 
You are receiving this mail because:
You are the assignee for the bug.