CVSROOT: /cvs Module name: src Changes by: s...@cvs.openbsd.org 2017/08/12 08:07:33
Modified files: sys/dev/pci : if_iwm.c Log message: Fix Coverity CID 1453280: iwm(4) firmware could cause an out of bounds read of the ic->ic_channels array by lying about the channel a frame was received on. This array index is now properly bounds-checked. Not an errata-worthy fix, since the firmware has full DMA access anyway. While here, I noticed another problem: Stop assigning a firmware-derived value to ni->ni_chan. The Rx interrupt handler has no business tweaking that pointer. ok mpi@