G'day list
Coverity found 3 'OVERRUN_STATIC' in de4x5.c, @ lines 4814, 5115 and
5125.
Looking at the code these look like very minor problems, but as they are
easy to fix I though I would do a patch.
The patch below just adds an explicit check for the array index in
type3_infoblock() and corrects a loop exit check, to eliminate an
(array+1) error in mii_get_phy().
Note: A better solution in type3_infoblock() may be to change
- #define MOTO_SROM_BUG ((lp->active == 8) &&
(((le32_to_cpu(get_unaligned(((s32 *)dev->dev_addr))))&0x00ffffff)==0x3e0008))
+ #define MOTO_SROM_BUG ((lp->active >= DE4X5_MAX_PHY) ||
(((le32_to_cpu(get_unaligned(((s32 *)dev->dev_addr))))&0x00ffffff)==0x3e0008
as this seems to make sense, but as i am not sure that this bug happens
when (lp->active < 8) I am reluctant to change this.
Signed-off-by: Darren Jenkins <[EMAIL PROTECTED]>
--- linux-2.6.16-git8/drivers/net/tulip/de4x5.c.orig 2006-03-26
14:36:17.000000000 +1100
+++ linux-2.6.16-git8/drivers/net/tulip/de4x5.c 2006-03-26 17:06:06.000000000
+1100
@@ -4810,7 +4810,8 @@ type3_infoblock(struct net_device *dev,
if (lp->state == INITIALISED) {
lp->ibn = 3;
lp->active = *p++;
- if (MOTO_SROM_BUG) lp->active = 0;
+ if (MOTO_SROM_BUG || lp->active >= DE4X5_MAX_PHY)
+ lp->active = 0;
lp->phy[lp->active].gep = (*p ? p : NULL); p += (2 * (*p) + 1);
lp->phy[lp->active].rst = (*p ? p : NULL); p += (2 * (*p) + 1);
lp->phy[lp->active].mc = TWIDDLE(p); p += 2;
@@ -5111,7 +5112,7 @@ mii_get_phy(struct net_device *dev)
break;
}
if ((j == limit) && (i < DE4X5_MAX_MII)) {
- for (k=0; lp->phy[k].id && (k < DE4X5_MAX_PHY); k++);
+ for (k=0; lp->phy[k].id && (k < DE4X5_MAX_PHY - 1); k++);
lp->phy[k].addr = i;
lp->phy[k].id = id;
lp->phy[k].spd.reg = GENERIC_REG; /* ANLPA register */
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
