<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Hello!<br><br>There is a value of the varible "size" check in function <br>dib9000_fw_memmbx_sync() in dib9000.c with size of the array b <br>which is equal to 40 (u16 b[40] = { 0 };) after <br>dib9000_mbx_get_message(state, IN_MSG_FE_FW_DL_DONE, b, &size) call. <br>If the var "size" is less than 40 there goes loop for<br>with an incrementing var "i". Initial value is equal to 0,<br>"i < size" is a loop terminator, i has only even values. In this loop<br>there is operation "state->platform.risc.fe_mm[i/2].addr = b[i + 0]".<br>"fe_mm[18]" array has only 18 elements. Therefore, there is a possible<br>index overflow when i is more than 34 (i >= 36).<br><br>Code:<br> <!--StartFragment--><div style="color: #000000; background-color: #fffffe; font-family: Consolas, 'Courier New', monospace; font-weight: normal; font-size: 12px; line-height: 16px; white-space: pre;" data-mce-style="color: #000000; background-color: #fffffe; font-family: Consolas, 'Courier New', monospace; font-weight: normal; font-size: 12px; line-height: 16px; white-space: pre;"><div><span style="color: #0000ff;" data-mce-style="color: #0000ff;">if</span><span style="color: #000000;" data-mce-style="color: #000000;"> (dib9000_mbx_get_message(state, IN_MSG_FE_FW_DL_DONE, b, &size) < </span><span style="color: #098658;" data-mce-style="color: #098658;">0</span><span style="color: #000000;" data-mce-style="color: #000000;">) // size = [0 .. 254]</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">        </span><span style="color: #0000ff;" data-mce-style="color: #0000ff;">return</span><span style="color: #000000;" data-mce-style="color: #000000;"> -EIO;</span></div><br><div><span style="color: #000000;" data-mce-style="color: #000000;">    </span><span style="color: #0000ff;" data-mce-style="color: #0000ff;">if</span><span style="color: #000000;" data-mce-style="color: #000000;"> (size > ARRAY_SIZE(b)) { // var size </span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">        dprintk(</span><span style="color: #a31515;" data-mce-style="color: #a31515;">"error : firmware returned %dbytes needed but the used buffer has only %dbytes\n Firmware init ABORTED"</span><span style="color: #000000;" data-mce-style="color: #000000;">, size,</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">            (</span><span style="color: #0000ff;" data-mce-style="color: #0000ff;">int</span><span style="color: #000000;" data-mce-style="color: #000000;">)ARRAY_SIZE(b));</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">        </span><span style="color: #0000ff;" data-mce-style="color: #0000ff;">return</span><span style="color: #000000;" data-mce-style="color: #000000;"> -EINVAL;</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">    }</span></div><br><div><span style="color: #000000;" data-mce-style="color: #000000;">    </span><span style="color: #0000ff;" data-mce-style="color: #0000ff;">for</span><span style="color: #000000;" data-mce-style="color: #000000;"> (i = </span><span style="color: #098658;" data-mce-style="color: #098658;">0</span><span style="color: #000000;" data-mce-style="color: #000000;">; i < size; i += </span><span style="color: #098658;" data-mce-style="color: #098658;">2</span><span style="color: #000000;" data-mce-style="color: #000000;">) {</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">        state->platform.risc.fe_mm[i / </span><span style="color: #098658;" data-mce-style="color: #098658;">2</span><span style="color: #000000;" data-mce-style="color: #000000;">].addr = b[i + </span><span style="color: #098658;" data-mce-style="color: #098658;">0</span><span style="color: #000000;" data-mce-style="color: #000000;">]; // i   = [0,2,4..38], size(fe_mm) == 18</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">        state->platform.risc.fe_mm[i / </span><span style="color: #098658;" data-mce-style="color: #098658;">2</span><span style="color: #000000;" data-mce-style="color: #000000;">].size = b[i + </span><span style="color: #098658;" data-mce-style="color: #098658;">1</span><span style="color: #000000;" data-mce-style="color: #000000;">]; // i/2 = [0,1,2..19], fe_mm[i/2] > size => overflow</span></div><div><span style="color: #000000;" data-mce-style="color: #000000;">    }</span></div></div><!--EndFragment--> <br><br>Please, could you tell me if there is any bug here or this is OK.<br><br>Found by Linux Verification Center (linuxtesting.org) with SVACE.<br><br>Best regards,<br>Aleksandr Burakov<br data-mce-bogus="1"></div></div></body></html>