OSDN Git Service

(root) / tomoyo / tomoyo-test1.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 13b7997)
net: aquantia: fixed instack structure overflow
authorIgor Russkikh <Igor.Russkikh@aquantia.com>
Wed, 27 Feb 2019 12:10:09 +0000 (12:10 +0000)
committerDavid S. Miller <davem@davemloft.net>
Sat, 2 Mar 2019 00:45:15 +0000 (16:45 -0800)
This is a real stack undercorruption found by kasan build.

The issue did no harm normally because it only overflowed
2 bytes after `bitary` array which on most architectures
were mapped into `err` local.

Fixes: bab6de8fd180 ("net: ethernet: aquantia: Atlantic A0 and B0 specific functions.")
Signed-off-by: Nikita Danilov <nikita.danilov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c patch | blob | history
drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c patch | blob | history

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
index 2469ed4..30fdcb9 100644 (file)
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
@@ -207,8 +207,8 @@ static int hw_atl_a0_hw_rss_set(struct aq_hw_s *self,
        u32 i = 0U;
        u32 num_rss_queues = max(1U, self->aq_nic_cfg->num_rss_queues);
        int err = 0;
-       u16 bitary[(HW_ATL_A0_RSS_REDIRECTION_MAX *
-                                       HW_ATL_A0_RSS_REDIRECTION_BITS / 16U)];
+       u16 bitary[1 + (HW_ATL_A0_RSS_REDIRECTION_MAX *
+                  HW_ATL_A0_RSS_REDIRECTION_BITS / 16U)];
 
        memset(bitary, 0, sizeof(bitary));
 
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index b58ca7c..c4cdc51 100644 (file)
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -199,8 +199,8 @@ static int hw_atl_b0_hw_rss_set(struct aq_hw_s *self,
        u32 i = 0U;
        u32 num_rss_queues = max(1U, self->aq_nic_cfg->num_rss_queues);
        int err = 0;
-       u16 bitary[(HW_ATL_B0_RSS_REDIRECTION_MAX *
-                                       HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];
+       u16 bitary[1 + (HW_ATL_B0_RSS_REDIRECTION_MAX *
+                  HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];
 
        memset(bitary, 0, sizeof(bitary));
 
This is a test repository.
About OSDN
Find Software
Develop Software
Help