243393 – [ath] Array can be accessed out of bounds

Bug 243393 - [ath] Array can be accessed out of bounds

Summary: [ath] Array can be accessed out of bounds

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-wireless (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-16 15:03 UTC by ghuckriede
Modified:	2020-01-16 20:54 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ghuckriede 2020-01-16 15:03:32 UTC

Overview:

Through code inspection it was discovered that some 'for' loops in the ath module can cause an array to go out of bounds. 

See the following files for reference:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_v4k.h?annotate=326695
Similar issue with the following 2 files:
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.c?annotate=326695
https://svnweb.freebsd.org/base/head/sys/dev/ath/ath_hal/ah_eeprom_9287.h?annotate=326695

Details:
In the 'for' loop at ah_eeprom_v4k.c:243, ctlEdges is accesses with index 'j' in the second dimension at ah_eeprom_v4k.c:253 and ah_eeprom_v4k.c:254.  'j' is looped up to 8 times (NUM_EDGES is defined as 8 at ah_eeprom_v4k.h:178) but ctlEdges is declared with 4 indices in the second dimension (ctrEdges declared at ah_eeprom_v4k.h:153 with  AR5416_4K_NUM_BAND_EDGES which is defined as 4 at ah_eeprom_v4k.h:50).

Perhaps the 'for' loop should only iterate AR5416_4K_NUM_BAND_EDGES times? Or not use 'j' for the ctlEdges index?


Steps to Reproduce: n.a. (code inspection)

Actual Results: n.a. (code inspection)

Expected Results: n.a. (code inspection)

Build Date & Hardware:
svn r326695