The patch titled tg3: fix array overrun in tg3_read_partno() has been removed from the -mm tree. Its filename was tg3-fix-array-overrun-in-tg3_read_partno.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ Subject: tg3: fix array overrun in tg3_read_partno() From: "Michael Chan" <mchan@xxxxxxxxxxxx> On Mon, 2006-11-06 at 10:45 +0100, Adrian Bunk wrote: > The Coverity checker noted the following in drivers/net/tg3.c: > > <-- snip --> > > The problem is that vpd_data[i + 2] could be vpd_data[255 + 2]. Use proper upper limits for the loops and check for all error conditions. The problem was noticed by Adrian Bunk. Signed-off-by: Michael Chan <mchan@xxxxxxxxxxxx> Cc: Adrian Bunk <bunk@xxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxx> --- drivers/net/tg3.c | 19 ++++++++++++------- 1 files changed, 12 insertions(+), 7 deletions(-) diff -puN drivers/net/tg3.c~tg3-fix-array-overrun-in-tg3_read_partno drivers/net/tg3.c --- a/drivers/net/tg3.c~tg3-fix-array-overrun-in-tg3_read_partno +++ a/drivers/net/tg3.c @@ -10212,7 +10212,7 @@ skip_phy_reset: static void __devinit tg3_read_partno(struct tg3 *tp) { unsigned char vpd_data[256]; - int i; + unsigned int i; u32 magic; if (tg3_nvram_read_swab(tp, 0x0, &magic)) @@ -10258,9 +10258,9 @@ static void __devinit tg3_read_partno(st } /* Now parse and find the part number. */ - for (i = 0; i < 256; ) { + for (i = 0; i < 254; ) { unsigned char val = vpd_data[i]; - int block_end; + unsigned int block_end; if (val == 0x82 || val == 0x91) { i = (i + 3 + @@ -10276,21 +10276,26 @@ static void __devinit tg3_read_partno(st (vpd_data[i + 1] + (vpd_data[i + 2] << 8))); i += 3; - while (i < block_end) { + + if (block_end > 256) + goto out_not_found; + + while (i < (block_end - 2)) { if (vpd_data[i + 0] == 'P' && vpd_data[i + 1] == 'N') { int partno_len = vpd_data[i + 2]; - if (partno_len > 24) + i += 3; + if (partno_len > 24 || (partno_len + i) > 256) goto out_not_found; memcpy(tp->board_part_number, - &vpd_data[i + 3], - partno_len); + &vpd_data[i], partno_len); /* Success. */ return; } + i += 3 + vpd_data[i + 2]; } /* Part number not found. */ _ Patches currently in -mm which might be from mchan@xxxxxxxxxxxx are origin.patch git-net.patch - To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html