[PATCH] staging: bcm: Fix out of bounds access in CmHosts.c

Dan Carpenter dan.carpenter at oracle.com
Sat Jun 7 19:34:21 UTC 2014


On Wed, Jun 04, 2014 at 07:04:30AM +0900, Masanari Iida wrote:
> An array u8IPv6FlowLable[] is defined as 3 in cntrl_SignalingInterface.h.
> But in CmHosts.c, the kernel accessed to clsRule.u8IPv6FlowLable[5].
> 

It's only used in debug code which is ifdefed out.  It's a bit dangerous
to change the structures...  We seem to read and write these to the
hardware in, for example, StoreSFParam() which has a struct
bcm_connect_mgr_params.  I don't know that the hardware actually cares
about what we are writing to it...  That whole stuff is murky to me.

Anyway, do you think you could instead fix this problem by deleting all
the "#ifdef VERSION_D5" code?  That would be safer.

TODO-list: 2014-06-07: bcm: investigate if clsRule.u8IPv6FlowLable is used at all

regards,
dan carpenter



More information about the devel mailing list