CVSROOT:        /cvs
Module name:    src
Changes by:    2017/08/12 08:07:33

Modified files:
        sys/dev/pci    : if_iwm.c 

Log message:
Fix Coverity CID 1453280:
iwm(4) firmware could cause an out of bounds read of the ic->ic_channels
array by lying about the channel a frame was received on. This array index
is now properly bounds-checked. Not an errata-worthy fix, since the firmware
has full DMA access anyway.

While here, I noticed another problem: Stop assigning a firmware-derived value
to ni->ni_chan. The Rx interrupt handler has no business tweaking that pointer.

ok mpi@

Reply via email to