Author: landonf Date: Sun Jul 10 00:08:40 2016 New Revision: 302509 URL: https://svnweb.freebsd.org/changeset/base/302509
Log: Fix heap overflow in bhnd(4) SPROM parsing. The bus_region_* APIs accept the number of data items to be read, while the code was passing the total number of bytes, resulting in an overflow of the SPROM parser's buffer. Approved by: adrian (mentor) Differential Revision: https://reviews.freebsd.org/D7168 Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Modified: head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c ============================================================================== --- head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sat Jul 9 23:22:44 2016 (r302508) +++ head/sys/dev/bhnd/nvram/bhnd_sprom_subr.c Sun Jul 10 00:08:40 2016 (r302509) @@ -523,7 +523,8 @@ sprom_direct_read(struct bhnd_sprom *sc, p = (uint16_t *)buf; res_offset = sc->sp_res_off + offset; - bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, nbytes); + bhnd_bus_read_region_stream_2(sc->sp_res, res_offset, p, + (nbytes / sizeof(uint16_t))); *crc = bhnd_nvram_crc8(p, nbytes, *crc); return (0); _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"