From patchwork Thu Jul 30 10:26:32 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: roel kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 30379
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 23235B7BA1
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Thu, 30 Jul 2009 20:23:45 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 10971DDDE1; Thu, 30 Jul 2009 20:23:45 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 84262DDDD4
	for <patchwork-incoming@ozlabs.org>;
	Thu, 30 Jul 2009 20:23:44 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752295AbZG3KXh (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Thu, 30 Jul 2009 06:23:37 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752215AbZG3KXh
	(ORCPT <rfc822; netdev-outgoing>); Thu, 30 Jul 2009 06:23:37 -0400
Received: from ey-out-2122.google.com ([74.125.78.26]:27143 "EHLO
	ey-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752183AbZG3KXg (ORCPT
	<rfc822;netdev@vger.kernel.org>); Thu, 30 Jul 2009 06:23:36 -0400
Received: by ey-out-2122.google.com with SMTP id 9so356031eyd.37
	for <netdev@vger.kernel.org>; Thu, 30 Jul 2009 03:23:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:cc:subject:references:in-reply-to
	:content-type:content-transfer-encoding;
	bh=C7a7XnPPJIPNXpM7VTumr4t72nC8gopfUGWT3ms0QAA=;
	b=xqVDldZo5NJzRtwhUhH8sF7E86DxvAsF5Gn3OXHIDpBj1czCiCV04MTUgyjlP/7VUC
	pZtFMEmZfWDIDnDF8rUHoa3v52qVRZsN15ddLeU5fMWU35fti+65TwHeBEHGr1IuL9L4
	ah3C6TBZj38jImIQ6cg7tdgCK5sRUa5SsjY70=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	b=hWSoABkCnm3e9kcViqSovF3aVdmCejC2wpYRAEegD2gjRzAbIQ9bhQs9tlo2yYJfi3
	dbBk25HAQjpq3owCbNXPTFPKkGjaNNfc7PsPC5tHEV0VsmSvTKMmyyetXo8wRxF8N/B8
	/oAgH3XKStsEW827oDTzHT0n/Oe8fm8VtWt78=
Received: by 10.210.13.17 with SMTP id 17mr1231085ebm.38.1248949416140;
	Thu, 30 Jul 2009 03:23:36 -0700 (PDT)
Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id 7sm2300309eyg.5.2009.07.30.03.23.34
	(version=SSLv3 cipher=RC4-MD5);
	Thu, 30 Jul 2009 03:23:35 -0700 (PDT)
Message-ID: <4A717558.2050407@gmail.com>
Date: Thu, 30 Jul 2009 12:26:32 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11
	Thunderbird/3.0b2
MIME-Version: 1.0
To: Jarek Poplawski <jarkao2@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>, netdev <netdev@vger.kernel.org>,
	Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] 3c515: Write outside array bounds
References: <4A6B88B1.9000907@gmail.com> <4A6CC7BD.9020602@gmail.com>
	<4A705904.4020505@gmail.com>
	<20090729204300.GC3058@ami.dom.local>
In-Reply-To: <20090729204300.GC3058@ami.dom.local>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

if dev_alloc_skb() fails on the first iteration, a write to
cp->rx_ring[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
>>>> can we error return like this?
>>>
>>> I doubt we can return here: there is a lot of cleaning missing.

>> I took drivers/net/3c59x.c as an example
>>
>> Is this going in the right direction?
> 
> The direction is right but a long and winding road... I guess it's for
> somebody with drivers knowhow. It seems most of the corkscrew_close()
> might be needed, including del_timer(). So, since this -1 case looks
> quite unlikely, it might be reasonable to only limit the most obvious
> damage with 'if (i != 0)' before [i - 1] write, like David advised
> in lmc case?
> 
> Cheers,
> Jarek P.

Thanks, here it is:

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/drivers/net/3c515.c b/drivers/net/3c515.c
index 3e00fa8..4a7c328 100644
--- a/drivers/net/3c515.c
+++ b/drivers/net/3c515.c
@@ -832,7 +832,9 @@ static int corkscrew_open(struct net_device *dev)
 			skb_reserve(skb, 2);	/* Align IP on 16 byte boundaries */
 			vp->rx_ring[i].addr = isa_virt_to_bus(skb->data);
 		}
-		vp->rx_ring[i - 1].next = isa_virt_to_bus(&vp->rx_ring[0]);	/* Wrap the ring. */
+		if (i != 0)
+			vp->rx_ring[i - 1].next =
+				isa_virt_to_bus(&vp->rx_ring[0]);	/* Wrap the ring. */
 		outl(isa_virt_to_bus(&vp->rx_ring[0]), ioaddr + UpListPtr);
 	}
 	if (vp->full_bus_master_tx) {	/* Boomerang bus master Tx. */