Module name: src
Changes by: s...@cvs.openbsd.org 2017/08/12 08:07:33
sys/dev/pci : if_iwm.c
Fix Coverity CID 1453280:
iwm(4) firmware could cause an out of bounds read of the ic->ic_channels
array by lying about the channel a frame was received on. This array index
is now properly bounds-checked. Not an errata-worthy fix, since the firmware
has full DMA access anyway.
While here, I noticed another problem: Stop assigning a firmware-derived value
to ni->ni_chan. The Rx interrupt handler has no business tweaking that pointer.