[src/trunk]: src/sys/arch/x68k/dev PR 50759 David Binderman: fix out of bound...

[dholland <dholland%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/239d51e5ff42
branches:  trunk
changeset: 345510:239d51e5ff42
user:      dholland <dholland%NetBSD.org@localhost>
date:      Tue May 31 03:22:30 2016 +0000

description:
PR 50759 David Binderman: fix out of bounds array access.

If we don't find one of the expected device addresses, reject the
match, but do it by checking whether the loop matched something rather
than by testing an array entry that might be one past the end.

Note: I have also moved the test to be with the loop; since the call
to intio_map_allocate_region had gotten placed in between them, I've
moved it to go before rather than after them as (a) it doesn't
interact with the loop itself and (b) this seems like the best choice
given the history as it was deliberately added before the original
test.

I have not tried running this, not having an x68k, but as best I can
tell by reading the intio code it seems like it should be harmless
even if it's not really correct.

diffstat:

 sys/arch/x68k/dev/zs.c |  16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)

diffs (42 lines):

diff -r 974c7c550597 -r 239d51e5ff42 sys/arch/x68k/dev/zs.c
--- a/sys/arch/x68k/dev/zs.c    Tue May 31 03:12:49 2016 +0000
+++ b/sys/arch/x68k/dev/zs.c    Tue May 31 03:22:30 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: zs.c,v 1.42 2014/03/26 08:17:32 christos Exp $ */
+/*     $NetBSD: zs.c,v 1.43 2016/05/31 03:22:30 dholland Exp $ */
 
 /*-
  * Copyright (c) 1998 Minoura Makoto
@@ -40,7 +40,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: zs.c,v 1.42 2014/03/26 08:17:32 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: zs.c,v 1.43 2016/05/31 03:22:30 dholland Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -148,16 +148,18 @@
        if (strcmp(ia->ia_name, "zsc") != 0)
                return 0;
 
-       for (i = 0; i < ZS_MAXDEV; i++)
-               if (zsaddr == (void *)zs_physaddr[i]) /* XXX */
-                       break;
-
        ia->ia_size = 8;
        if (intio_map_allocate_region(parent, ia, INTIO_MAP_TESTONLY))
                return 0;
 
-       if (zsaddr != (void *)zs_physaddr[i])
+       for (i = 0; i < ZS_MAXDEV; i++)
+               if (zsaddr == (void *)zs_physaddr[i]) /* XXX */
+                       break;
+       if (i == ZS_MAXDEV) {
+               /* not a recognized address */
                return 0;
+       }
+
        if (badaddr((void *)IIOV(zsaddr)))
                return 0;