kern/46201: read array past end in sys/external/isc/atheros_hal/dist/ah_eeprom_v4k.c

[Manuel.Bouyer%lip6.fr@localhost]

>Number:         46201
>Category:       kern
>Synopsis:       read array past end in 
>sys/external/isc/atheros_hal/dist/ah_eeprom_v4k.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 15 19:00:00 +0000 2012
>Originator:     Manuel.Bouyer%lip6.fr@localhost
>Release:        NetBSD 6.0_BETA
>Organization:
>Environment:
System: NetBSD pop.soc.lip6.fr 6.0_BETA NetBSD 6.0_BETA (XEN3PAE_DOMU) i386
Architecture: i386
Machine: i386
>Description:
        in sys/external/isc/atheros_hal/dist/ah_eeprom_v4k.c, lines 239 and
        followings:
        HALASSERT(AR5416_4K_NUM_CTLS <= sizeof(ee->ee_rdEdgesPower)/NUM_EDGES);

        for (i = 0; ee->ee_base.ctlIndex[i] != 0 && i < AR5416_4K_NUM_CTLS; i++)
 {
                for (j = 0; j < NUM_EDGES; j ++) {
                        /* XXX Confirm this is the right thing to do when an inv
alid channel is stored */
                        if (ee->ee_base.ctlData[i].ctlEdges[CTL_CHAIN][j].bChann
el == AR5416_BCHAN_UNUSED) {
                                rep[j].rdEdge = 0;
but ctlEdges[CTL_CHAIN] has only AR5416_4K_NUM_BAND_EDGES elements so we're
testing and using the wrong data here.

>How-To-Repeat:
        code inspection (and gcc -O3)
>Fix:
        I'm not sure replacing NUM_EDGES with AR5416_4K_NUM_BAND_EDGES
        here is enough. rep[] has NUM_EDGES elements and I don't know what do
        do with the exess elements, nor with the pointer arithmetic
        done on it later.