[bug report] ti-st: potential overflow calling st_send_frame()
Dan Carpenter
error27 at gmail.com
Fri Aug 27 06:52:26 PDT 2010
Hi Pavan,
I was doing an audit for buffer overflows and I think there may be a
problem in the ti-st driver.
drivers/staging/ti-st/st_core.c +269
st_int_recv(45) error: buffer overflow calling st_send_frame. param 0. 3 >= 3
264 case ST_BT_W4_DATA:
265 pr_debug("Complete pkt received");
266
267 /* Ask ST CORE to forward
268 * the packet to protocol driver */
269 st_send_frame(protoid, st_gdata);
^^^^^^^
I think this could be equal to ST_MAX (3) here.
270
271 st_gdata->rx_state = ST_W4_PACKET_TYPE;
272 st_gdata->rx_skb = NULL;
273 protoid = ST_MAX; /* is this required ? */
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In st_send_frame() we check st_gdata->list[protoid] but ->list only has
ST_MAX elements so if protoid is ST_MAX we are one past the end of the
array.
regards,
dan carpenter
More information about the devel
mailing list