From patchwork Mon Mar 14 14:18:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 8579551 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 129A29F6E1 for ; Mon, 14 Mar 2016 14:22:54 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 347BE20259 for ; Mon, 14 Mar 2016 14:22:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 49814201BC for ; Mon, 14 Mar 2016 14:22:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964956AbcCNOUh (ORCPT ); Mon, 14 Mar 2016 10:20:37 -0400 Received: from mout.kundenserver.de ([212.227.17.10]:55853 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934373AbcCNOUd (ORCPT ); Mon, 14 Mar 2016 10:20:33 -0400 Received: from wuerfel.lan. ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue102) with ESMTPA (Nemesis) id 0MXprj-1aI5Z93OkB-00WpYP; Mon, 14 Mar 2016 15:18:56 +0100 From: Arnd Bergmann To: "David S. Miller" Cc: netdev@vger.kernel.org, Arnd Bergmann , QCA ath9k Development , Kalle Valo , linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org, linux-kernel@vger.kernel.org Subject: [PATCH 3/5] ath9k: fix buffer overrun for ar9287 Date: Mon, 14 Mar 2016 15:18:36 +0100 Message-Id: <1457965120-3155420-4-git-send-email-arnd@arndb.de> X-Mailer: git-send-email 2.7.0 In-Reply-To: <1457965120-3155420-1-git-send-email-arnd@arndb.de> References: <1457965120-3155420-1-git-send-email-arnd@arndb.de> X-Provags-ID: V03:K0:sdjLH/htK5mppyPsmHtI+QH4uKKiXjkJ/uwsVX5i0drjHK5Sk58 Gn5r1UWGdg80l8lTw0FEIV8MEI/wv32fBvEpPi46D9a3xThsIup2k73Co2gP4vfR/98UbVD kPoE8UcqlBl3K3UfoTGs9Kq6CS6iJQ6aBfW+bEi/7pMLXhryaBpILyyhDW5q11R7qqljiyr TPvGB9mFQpyZM6rLOceiw== X-UI-Out-Filterresults: notjunk:1; V01:K0:uVEfDJhNYaU=:Tv2wD2iI4euGBfjzDZmQnz PkgWrICxFymSiKb+XBMn67Pa9tlvwBBusmZCGYxaSOkMzgaxiilDcY9+O5vXrM7DPSFkJrx5l b0X3c8tmLrpwSM39fmg22uAqMY06kx9+KkINNHoFYtL/Uni32qzk7egqNEo2I6fxUuI2eusKq uUwVOh9uP7/s5DfiqyBo7SgeqKJijoWGYC5KK7OJPUlRVSVUKcl4kixSXmz3/ZZx2kxVaNnL2 KJMDfeV3Z7776hSBTTESfxuJWbqCVIG/6qn6CIF+oys9x6Cbs//bgmnTPxmQlRmi9dDCK5Uu1 YQBu2yd1bbOYDM2DJGkdvP5dcxjCMaEYJLHW5RWRc0vShoNQ7fa/L0oc2KgNweM+6URGTLfSQ n2jCQ+0nXvyFzjIjaHhrhjnR8k2jLaHhDIrfC/DR83dzak0Eaa6Mk6Qu/pLdsJd++TT+/8TLp 74mF0WBuqiWKHxhGrBBlKlpv6ZQtp2FLtKWnJvgblXmbI8AyG7yJw38XfncSKyGHGAHdOVdsJ QGBN024Dn61O6uuSiCQeAzv+nFxoxKsbV+EqV/ZilwrdMDu0+dxXUVqYdv65B4M9S1IDe6mP5 TRj972n+zLCPtTxg4PL7XM1VmL0pcMFduoAvv1Cax0XpanaKm6wYBoaDh8LPLuqWLOcsdfFHe NWjoddDTf+pr7LTtf3oFNH+kgZ3kbwLkEzN8oApdhxBDSwQhE3D4CyPAkOh1BsG/f0w0= Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Code that was added back in 2.6.38 has an obvious overflow when accessing a static array, and at the time it was added only a code comment was put in front of it as a reminder to have it reviewed properly. This has not happened, but gcc-6 now points to the specific overflow: drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs': drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds] maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ~~~~~~~~~~~~~~~~~~~~~~~~~^~~ It turns out that the correct array length exists in the local 'intercepts' variable of this function, so we can just use that instead of hardcoding '4', so this patch changes all three instances to use that variable. The other two instances were already correct, but it's more consistent this way. Signed-off-by: Arnd Bergmann Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs") --- drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c index 73fb4232f9f2..a794157a147d 100644 --- a/drivers/net/wireless/ath/ath9k/eeprom.c +++ b/drivers/net/wireless/ath/ath9k/eeprom.c @@ -477,10 +477,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, if (match) { if (AR_SREV_9287(ah)) { - /* FIXME: array overrun? */ for (i = 0; i < numXpdGains; i++) { minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; - maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; + maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], data_9287[idxL].pwrPdg[i], data_9287[idxL].vpdPdg[i], @@ -490,7 +489,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, } else if (eeprom_4k) { for (i = 0; i < numXpdGains; i++) { minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; - maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; + maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], data_4k[idxL].pwrPdg[i], data_4k[idxL].vpdPdg[i], @@ -500,7 +499,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, } else { for (i = 0; i < numXpdGains; i++) { minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; - maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; + maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], data_def[idxL].pwrPdg[i], data_def[idxL].vpdPdg[i],