Bug 243393 - [ath] Array can be accessed out of bounds
Summary: [ath] Array can be accessed out of bounds
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-wireless mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-16 15:03 UTC by ghuckriede
Modified: 2020-01-16 20:54 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ghuckriede 2020-01-16 15:03:32 UTC
Overview:

Through code inspection it was discovered that some 'for' loops in the ath module can cause an array to go out of bounds. 

See the following files for reference:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.h?annotate=326695
Similar issue with the following 2 files:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.h?annotate=326695

Details:
In the 'for' loop at ah_eeprom_v4k.c:243, ctlEdges is accesses with index 'j' in the second dimension at ah_eeprom_v4k.c:253 and ah_eeprom_v4k.c:254.  'j' is looped up to 8 times (NUM_EDGES is defined as 8 at ah_eeprom_v4k.h:178) but ctlEdges is declared with 4 indices in the second dimension (ctrEdges declared at ah_eeprom_v4k.h:153 with  AR5416_4K_NUM_BAND_EDGES which is defined as 4 at ah_eeprom_v4k.h:50).

Perhaps the 'for' loop should only iterate AR5416_4K_NUM_BAND_EDGES times? Or not use 'j' for the ctlEdges index?


Steps to Reproduce: n.a. (code inspection)

Actual Results: n.a. (code inspection)

Expected Results: n.a. (code inspection)

Build Date & Hardware:
svn r326695