Commit 8dd07086 authored by roel kluin's avatar roel kluin Committed by David S. Miller
Browse files

lmc: Read outside array bounds



If dev_alloc_skb() fails on the first iteration of the allocation loop,
then we end up writing before the start of the array.

Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a6fa3286
......@@ -1897,11 +1897,12 @@ static void lmc_softreset (lmc_softc_t * const sc) /*fold00*/
/*
* Sets end of ring
*/
sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */
sc->lmc_rxring[i - 1].buffer2 = virt_to_bus (&sc->lmc_rxring[0]); /* Point back to the start */
if (i != 0) {
sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */
sc->lmc_rxring[i - 1].buffer2 = virt_to_bus(&sc->lmc_rxring[0]); /* Point back to the start */
}
LMC_CSR_WRITE (sc, csr_rxlist, virt_to_bus (sc->lmc_rxring)); /* write base address */
/* Initialize the transmit rings and buffers */
for (i = 0; i < LMC_TXDESCS; i++)
{
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment