diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-11 15:33:46 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-15 16:30:06 +0000 |
| commit | c79838c3a14eed1cee24731f89d7b1171751d304 (patch) | |
| tree | 486c75133ee1072075d9782672c09b39b9308013 /main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch | |
| parent | ee4ffbb28c8a78a28e0315d7050f8837fa316dc5 (diff) | |
| download | aports-c79838c3a14eed1cee24731f89d7b1171751d304.tar.bz2 aports-c79838c3a14eed1cee24731f89d7b1171751d304.tar.xz | |
main/xen: upgrade to 4.7.0 and add secfixes
Diffstat (limited to 'main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch')
| -rw-r--r-- | main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch b/main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch new file mode 100644 index 0000000000..7b1f369b1e --- /dev/null +++ b/main/xen/patch-gcc6-etherboot-ath9k-9287-array.patch @@ -0,0 +1,68 @@ +From 83d6f1f15f8cce844b0a131cbc63e444620e48b5 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann <arnd@arndb.de> +Date: Mon, 14 Mar 2016 15:18:36 +0100 +Subject: ath9k: fix buffer overrun for ar9287 + +Code that was added back in 2.6.38 has an obvious overflow +when accessing a static array, and at the time it was added +only a code comment was put in front of it as a reminder +to have it reviewed properly. + +This has not happened, but gcc-6 now points to the specific +overflow: + +drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs': +drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds] + maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; + ~~~~~~~~~~~~~~~~~~~~~~~~~^~~ + +It turns out that the correct array length exists in the local +'intercepts' variable of this function, so we can just use that +instead of hardcoding '4', so this patch changes all three +instances to use that variable. The other two instances were +already correct, but it's more consistent this way. + +Signed-off-by: Arnd Bergmann <arnd@arndb.de> +Fixes: 940cd2c12ebf ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs") +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + drivers/net/wireless/ath/ath9k/eeprom.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/eeprom.c b/drivers/net/wireless/ath/ath9k/eeprom.c +index 73fb423..a794157 100644 +--- a/src/drivers/net/ath/ath9k/ath9k_eeprom.c ++++ b/src/drivers/net/ath/ath9k/ath9k_eeprom.c +@@ -477,10 +477,9 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + + if (match) { + if (AR_SREV_9287(ah)) { +- /* FIXME: array overrun? */ + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_9287[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_9287[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_9287[idxL].pwrPdg[i], + data_9287[idxL].vpdPdg[i], +@@ -490,7 +489,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else if (eeprom_4k) { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_4k[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_4k[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_4k[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_4k[idxL].pwrPdg[i], + data_4k[idxL].vpdPdg[i], +@@ -500,7 +499,7 @@ void ath9k_hw_get_gain_boundaries_pdadcs(struct ath_hw *ah, + } else { + for (i = 0; i < numXpdGains; i++) { + minPwrT4[i] = data_def[idxL].pwrPdg[i][0]; +- maxPwrT4[i] = data_def[idxL].pwrPdg[i][4]; ++ maxPwrT4[i] = data_def[idxL].pwrPdg[i][intercepts - 1]; + ath9k_hw_fill_vpd_table(minPwrT4[i], maxPwrT4[i], + data_def[idxL].pwrPdg[i], + data_def[idxL].vpdPdg[i], +-- +cgit v0.12 + |