Commit 9d41b6ad authored by Michael Chan's avatar Michael Chan Committed by Adrian Bunk

[TG3]: Fix array overrun in tg3_read_partno().

Use proper upper limits for the loops and check for all error
conditions.

The problem was noticed by Adrian Bunk.
Signed-off-by: default avatarMichael Chan <mchan@broadcom.com>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
parent de6c0ccf
...@@ -9344,7 +9344,7 @@ static int __devinit tg3_phy_probe(struct tg3 *tp) ...@@ -9344,7 +9344,7 @@ static int __devinit tg3_phy_probe(struct tg3 *tp)
static void __devinit tg3_read_partno(struct tg3 *tp) static void __devinit tg3_read_partno(struct tg3 *tp)
{ {
unsigned char vpd_data[256]; unsigned char vpd_data[256];
int i; unsigned int i;
if (tp->tg3_flags2 & TG3_FLG2_SUN_570X) { if (tp->tg3_flags2 & TG3_FLG2_SUN_570X) {
/* Sun decided not to put the necessary bits in the /* Sun decided not to put the necessary bits in the
...@@ -9367,9 +9367,9 @@ static void __devinit tg3_read_partno(struct tg3 *tp) ...@@ -9367,9 +9367,9 @@ static void __devinit tg3_read_partno(struct tg3 *tp)
} }
/* Now parse and find the part number. */ /* Now parse and find the part number. */
for (i = 0; i < 256; ) { for (i = 0; i < 254; ) {
unsigned char val = vpd_data[i]; unsigned char val = vpd_data[i];
int block_end; unsigned int block_end;
if (val == 0x82 || val == 0x91) { if (val == 0x82 || val == 0x91) {
i = (i + 3 + i = (i + 3 +
...@@ -9385,21 +9385,26 @@ static void __devinit tg3_read_partno(struct tg3 *tp) ...@@ -9385,21 +9385,26 @@ static void __devinit tg3_read_partno(struct tg3 *tp)
(vpd_data[i + 1] + (vpd_data[i + 1] +
(vpd_data[i + 2] << 8))); (vpd_data[i + 2] << 8)));
i += 3; i += 3;
while (i < block_end) {
if (block_end > 256)
goto out_not_found;
while (i < (block_end - 2)) {
if (vpd_data[i + 0] == 'P' && if (vpd_data[i + 0] == 'P' &&
vpd_data[i + 1] == 'N') { vpd_data[i + 1] == 'N') {
int partno_len = vpd_data[i + 2]; int partno_len = vpd_data[i + 2];
if (partno_len > 24) i += 3;
if (partno_len > 24 || (partno_len + i) > 256)
goto out_not_found; goto out_not_found;
memcpy(tp->board_part_number, memcpy(tp->board_part_number,
&vpd_data[i + 3], &vpd_data[i], partno_len);
partno_len);
/* Success. */ /* Success. */
return; return;
} }
i += 3 + vpd_data[i + 2];
} }
/* Part number not found. */ /* Part number not found. */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment