diff options
| author | Bruce Allan <bruce.w.allan@intel.com> | 2009-12-01 10:47:02 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-12-02 03:35:52 -0500 |
| commit | eb656d4552a6c9de5fdcee4a376b171f57b8a4a2 (patch) | |
| tree | e9b89b76b3bc1ca1347ce9051b007c16ee8ba81d /drivers | |
| parent | caaddaf83501c79fe11b183c8972e60d8b7d5d56 (diff) | |
e1000e: guard against buffer overflow in cable length tables
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/e1000e/es2lan.c | 17 | ||||
| -rw-r--r-- | drivers/net/e1000e/phy.c | 14 |
2 files changed, 24 insertions, 7 deletions
diff --git a/drivers/net/e1000e/es2lan.c b/drivers/net/e1000e/es2lan.c index 3ff932f02f29..3f435c16608d 100644 --- a/drivers/net/e1000e/es2lan.c +++ b/drivers/net/e1000e/es2lan.c | |||
| @@ -99,6 +99,8 @@ | |||
| 99 | */ | 99 | */ |
| 100 | static const u16 e1000_gg82563_cable_length_table[] = | 100 | static const u16 e1000_gg82563_cable_length_table[] = |
| 101 | { 0, 60, 115, 150, 150, 60, 115, 150, 180, 180, 0xFF }; | 101 | { 0, 60, 115, 150, 150, 60, 115, 150, 180, 180, 0xFF }; |
| 102 | #define GG82563_CABLE_LENGTH_TABLE_SIZE \ | ||
| 103 | ARRAY_SIZE(e1000_gg82563_cable_length_table) | ||
| 102 | 104 | ||
| 103 | static s32 e1000_setup_copper_link_80003es2lan(struct e1000_hw *hw); | 105 | static s32 e1000_setup_copper_link_80003es2lan(struct e1000_hw *hw); |
| 104 | static s32 e1000_acquire_swfw_sync_80003es2lan(struct e1000_hw *hw, u16 mask); | 106 | static s32 e1000_acquire_swfw_sync_80003es2lan(struct e1000_hw *hw, u16 mask); |
| @@ -694,20 +696,27 @@ static s32 e1000_phy_force_speed_duplex_80003es2lan(struct e1000_hw *hw) | |||
| 694 | static s32 e1000_get_cable_length_80003es2lan(struct e1000_hw *hw) | 696 | static s32 e1000_get_cable_length_80003es2lan(struct e1000_hw *hw) |
| 695 | { | 697 | { |
| 696 | struct e1000_phy_info *phy = &hw->phy; | 698 | struct e1000_phy_info *phy = &hw->phy; |
| 697 | s32 ret_val; | 699 | s32 ret_val = 0; |
| 698 | u16 phy_data, index; | 700 | u16 phy_data, index; |
| 699 | 701 | ||
| 700 | ret_val = e1e_rphy(hw, GG82563_PHY_DSP_DISTANCE, &phy_data); | 702 | ret_val = e1e_rphy(hw, GG82563_PHY_DSP_DISTANCE, &phy_data); |
| 701 | if (ret_val) | 703 | if (ret_val) |
| 702 | return ret_val; | 704 | goto out; |
| 703 | 705 | ||
| 704 | index = phy_data & GG82563_DSPD_CABLE_LENGTH; | 706 | index = phy_data & GG82563_DSPD_CABLE_LENGTH; |
| 707 | |||
| 708 | if (index >= GG82563_CABLE_LENGTH_TABLE_SIZE - 5) { | ||
| 709 | ret_val = -E1000_ERR_PHY; | ||
| 710 | goto out; | ||
| 711 | } | ||
| 712 | |||
| 705 | phy->min_cable_length = e1000_gg82563_cable_length_table[index]; | 713 | phy->min_cable_length = e1000_gg82563_cable_length_table[index]; |
| 706 | phy->max_cable_length = e1000_gg82563_cable_length_table[index+5]; | 714 | phy->max_cable_length = e1000_gg82563_cable_length_table[index + 5]; |
| 707 | 715 | ||
| 708 | phy->cable_length = (phy->min_cable_length + phy->max_cable_length) / 2; | 716 | phy->cable_length = (phy->min_cable_length + phy->max_cable_length) / 2; |
| 709 | 717 | ||
| 710 | return 0; | 718 | out: |
| 719 | return ret_val; | ||
| 711 | } | 720 | } |
| 712 | 721 | ||
| 713 | /** | 722 | /** |
diff --git a/drivers/net/e1000e/phy.c b/drivers/net/e1000e/phy.c index 5cd01c691c53..9ce499734dca 100644 --- a/drivers/net/e1000e/phy.c +++ b/drivers/net/e1000e/phy.c | |||
| @@ -44,6 +44,8 @@ static s32 e1000_access_phy_debug_regs_hv(struct e1000_hw *hw, u32 offset, | |||
| 44 | /* Cable length tables */ | 44 | /* Cable length tables */ |
| 45 | static const u16 e1000_m88_cable_length_table[] = | 45 | static const u16 e1000_m88_cable_length_table[] = |
| 46 | { 0, 50, 80, 110, 140, 140, E1000_CABLE_LENGTH_UNDEFINED }; | 46 | { 0, 50, 80, 110, 140, 140, E1000_CABLE_LENGTH_UNDEFINED }; |
| 47 | #define M88E1000_CABLE_LENGTH_TABLE_SIZE \ | ||
| 48 | ARRAY_SIZE(e1000_m88_cable_length_table) | ||
| 47 | 49 | ||
| 48 | static const u16 e1000_igp_2_cable_length_table[] = | 50 | static const u16 e1000_igp_2_cable_length_table[] = |
| 49 | { 0, 0, 0, 0, 0, 0, 0, 0, 3, 5, 8, 11, 13, 16, 18, 21, 0, 0, 0, 3, | 51 | { 0, 0, 0, 0, 0, 0, 0, 0, 3, 5, 8, 11, 13, 16, 18, 21, 0, 0, 0, 3, |
| @@ -1717,15 +1719,21 @@ s32 e1000e_get_cable_length_m88(struct e1000_hw *hw) | |||
| 1717 | 1719 | ||
| 1718 | ret_val = e1e_rphy(hw, M88E1000_PHY_SPEC_STATUS, &phy_data); | 1720 | ret_val = e1e_rphy(hw, M88E1000_PHY_SPEC_STATUS, &phy_data); |
| 1719 | if (ret_val) | 1721 | if (ret_val) |
| 1720 | return ret_val; | 1722 | goto out; |
| 1721 | 1723 | ||
| 1722 | index = (phy_data & M88E1000_PSSR_CABLE_LENGTH) >> | 1724 | index = (phy_data & M88E1000_PSSR_CABLE_LENGTH) >> |
| 1723 | M88E1000_PSSR_CABLE_LENGTH_SHIFT; | 1725 | M88E1000_PSSR_CABLE_LENGTH_SHIFT; |
| 1726 | if (index >= M88E1000_CABLE_LENGTH_TABLE_SIZE - 1) { | ||
| 1727 | ret_val = -E1000_ERR_PHY; | ||
| 1728 | goto out; | ||
| 1729 | } | ||
| 1730 | |||
| 1724 | phy->min_cable_length = e1000_m88_cable_length_table[index]; | 1731 | phy->min_cable_length = e1000_m88_cable_length_table[index]; |
| 1725 | phy->max_cable_length = e1000_m88_cable_length_table[index+1]; | 1732 | phy->max_cable_length = e1000_m88_cable_length_table[index + 1]; |
| 1726 | 1733 | ||
| 1727 | phy->cable_length = (phy->min_cable_length + phy->max_cable_length) / 2; | 1734 | phy->cable_length = (phy->min_cable_length + phy->max_cable_length) / 2; |
| 1728 | 1735 | ||
| 1736 | out: | ||
| 1729 | return ret_val; | 1737 | return ret_val; |
| 1730 | } | 1738 | } |
| 1731 | 1739 | ||