diff mbox series

[net,4/5] net: aquantia: fixed instack structure overflow

Message ID 0329de90095bb2eb1ae24c4c3ed2958cb5c125f8.1547878835.git.igor.russkikh@aquantia.com
State Changes Requested
Delegated to: David Miller
Headers show
Series net: aquantia: minor bug fixes after static analysis | expand

Commit Message

Igor Russkikh Jan. 21, 2019, 2:53 p.m. UTC 
This is a real stack undercorruption found by kasan build.

The issue did no harm normally because it only overflowed
2 bytes after `bitary` array which on most architectures
were mapped into `err` local.

Signed-off-by: Nikita Danilov <nikita.danilov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
---
 drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Andrew Lunn Jan. 21, 2019, 5:10 p.m. UTC | #1 
On Mon, Jan 21, 2019 at 02:53:51PM +0000, Igor Russkikh wrote:
> This is a real stack undercorruption found by kasan build.
> 
> The issue did no harm normally because it only overflowed
> 2 bytes after `bitary` array which on most architectures
> were mapped into `err` local.

Hi Igor

Since this is a real bug, please add a fixes: tag, and post it to net.

      Thanks
	Andrew
diff mbox series

Patch

diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index b58ca7cb8e9d..c4cdc51350b2 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -199,8 +199,8 @@  static int hw_atl_b0_hw_rss_set(struct aq_hw_s *self,
 	u32 i = 0U;
 	u32 num_rss_queues = max(1U, self->aq_nic_cfg->num_rss_queues);
 	int err = 0;
-	u16 bitary[(HW_ATL_B0_RSS_REDIRECTION_MAX *
-					HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];
+	u16 bitary[1 + (HW_ATL_B0_RSS_REDIRECTION_MAX *
+		   HW_ATL_B0_RSS_REDIRECTION_BITS / 16U)];
 
 	memset(bitary, 0, sizeof(bitary));