+ tg3-fix-array-overrun-in-tg3_read_partno.patch added to -mm tree

[akpm@xxxxxxxx]

The patch titled
     tg3: fix array overrun in tg3_read_partno()
has been added to the -mm tree.  Its filename is
     tg3-fix-array-overrun-in-tg3_read_partno.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: tg3: fix array overrun in tg3_read_partno()
From: "Michael Chan" <mchan@xxxxxxxxxxxx>

On Mon, 2006-11-06 at 10:45 +0100, Adrian Bunk wrote:
> The Coverity checker noted the following in drivers/net/tg3.c:
>
> <--  snip  -->
>
> The problem is that vpd_data[i + 2] could be vpd_data[255 + 2].

Use proper upper limits for the loops and check for all error conditions.

The problem was noticed by Adrian Bunk.

Signed-off-by: Michael Chan <mchan@xxxxxxxxxxxx>
Cc: Adrian Bunk <bunk@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 drivers/net/tg3.c |   19 ++++++++++++-------
 1 files changed, 12 insertions(+), 7 deletions(-)

diff -puN drivers/net/tg3.c~tg3-fix-array-overrun-in-tg3_read_partno drivers/net/tg3.c
--- a/drivers/net/tg3.c~tg3-fix-array-overrun-in-tg3_read_partno
+++ a/drivers/net/tg3.c
@@ -10212,7 +10212,7 @@ skip_phy_reset:
 static void __devinit tg3_read_partno(struct tg3 *tp)
 {
 	unsigned char vpd_data[256];
-	int i;
+	unsigned int i;
 	u32 magic;
 
 	if (tg3_nvram_read_swab(tp, 0x0, &magic))
@@ -10258,9 +10258,9 @@ static void __devinit tg3_read_partno(st
 	}
 
 	/* Now parse and find the part number. */
-	for (i = 0; i < 256; ) {
+	for (i = 0; i < 254; ) {
 		unsigned char val = vpd_data[i];
-		int block_end;
+		unsigned int block_end;
 
 		if (val == 0x82 || val == 0x91) {
 			i = (i + 3 +
@@ -10276,21 +10276,26 @@ static void __devinit tg3_read_partno(st
 			     (vpd_data[i + 1] +
 			      (vpd_data[i + 2] << 8)));
 		i += 3;
-		while (i < block_end) {
+
+		if (block_end > 256)
+			goto out_not_found;
+
+		while (i < (block_end - 2)) {
 			if (vpd_data[i + 0] == 'P' &&
 			    vpd_data[i + 1] == 'N') {
 				int partno_len = vpd_data[i + 2];
 
-				if (partno_len > 24)
+				i += 3;
+				if (partno_len > 24 || (partno_len + i) > 256)
 					goto out_not_found;
 
 				memcpy(tp->board_part_number,
-				       &vpd_data[i + 3],
-				       partno_len);
+				       &vpd_data[i], partno_len);
 
 				/* Success. */
 				return;
 			}
+			i += 3 + vpd_data[i + 2];
 		}
 
 		/* Part number not found. */
_

Patches currently in -mm which might be from mchan@xxxxxxxxxxxx are

origin.patch
tg3-fix-array-overrun-in-tg3_read_partno.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html