Author: eadler
Date: Thu Mar 1 04:46:58 2018
New Revision: 330148
URL: https://svnweb.freebsd.org/changeset/base/330148
Log:
MFC r306001
[iwm] Fix off-by-one check in iwm_read_firmware().
This fixes a potential buffer overrun in the firmware parsing code.
Modified:
stable/11/sys/dev/iwm/if_iwm.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/dev/iwm/if_iwm.c
==============================================================================
--- stable/11/sys/dev/iwm/if_iwm.c Thu Mar 1 04:44:17 2018
(r330147)
+++ stable/11/sys/dev/iwm/if_iwm.c Thu Mar 1 04:46:58 2018
(r330148)
@@ -739,7 +739,7 @@ iwm_read_firmware(struct iwm_softc *sc, enum iwm_ucode
}
capa = (const struct iwm_ucode_capa *)tlv_data;
idx = le32toh(capa->api_index);
- if (idx > howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
+ if (idx >= howmany(IWM_NUM_UCODE_TLV_CAPA, 32)) {
device_printf(sc->sc_dev,
"unsupported API index %d\n", idx);
goto parse_out;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
