svn commit: r302509 - head/sys/dev/bhnd/nvram
Landon J. Fuller
landonf at FreeBSD.org
Sun Jul 10 00:08:42 UTC 2016
Author: landonf
Date: Sun Jul 10 00:08:40 2016
New Revision: 302509
URL: https://svnweb.freebsd.org/changeset/base/302509
Log:
Fix heap overflow in bhnd(4) SPROM parsing.
The bus_region_* APIs accept the number of data items to be read, while
the code was passing the total number of bytes, resulting in an overflow
of the SPROM parser's buffer.
Approved by: adrian (mentor)
Differential Revision: https://reviews.freebsd.org/D7168
Modified:
head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c
Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c
==============================================================================
--- head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sat Jul 9 23:22:44 2016 (r302508)
+++ head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sun Jul 10 00:08:40 2016 (r302509)
@@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc,
p = (uint16_t *)buf;
res_offset = sc->sp_res_off + offset;
- bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes);
+ bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p,
+ (nbytes / sizeof(uint16_t)));
*crc = bhnd_nvram_crc8(p, nbytes, *crc);
return (0);
More information about the svn-src-all
mailing list