提交 8dd07086 编写于 作者: R roel kluin 提交者: David S. Miller

lmc: Read outside array bounds

If dev_alloc_skb() fails on the first iteration of the allocation loop,
then we end up writing before the start of the array.
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 a6fa3286
......@@ -1897,11 +1897,12 @@ static void lmc_softreset (lmc_softc_t * const sc) /*fold00*/
/*
* Sets end of ring
*/
sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */
sc->lmc_rxring[i - 1].buffer2 = virt_to_bus (&sc->lmc_rxring[0]); /* Point back to the start */
if (i != 0) {
sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */
sc->lmc_rxring[i - 1].buffer2 = virt_to_bus(&sc->lmc_rxring[0]); /* Point back to the start */
}
LMC_CSR_WRITE (sc, csr_rxlist, virt_to_bus (sc->lmc_rxring)); /* write base address */
/* Initialize the transmit rings and buffers */
for (i = 0; i < LMC_TXDESCS; i++)
{
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册