Hi all,
Attached are 87 potential buffer overruns in 2.5.53. Most arise from
improper bounds checks, and some might be security holes where the array
index comes from an untrusted source (e.g. copy_from_user). In the bug
report, "len" refers to the length of the array or buffer being
accessed, and "off" refers to the offset/index that is being used to
access it. (off >= len) corresponds to a buffer overrun, while (off < 0)
signals an underrun.
As always, confirmations and comments will be appreciated.
Yichen
############################################################
# buffer specific errors
#
---------------------------------------------------------
[BUG] cmd array has size 2 (might be false positive, if cmd is used as a
buffer)
/home/yxie/linux-2.5.53/drivers/char/ip2/i2cmd.c:205:i2cmdUnixFlags:
ERROR:BUFFER:205:205:Array bounds error (off >= len) ((*pCM).cmd[2], len
= 2, off = 2, min(off-len) = 0)
i2cmdUnixFlags(unsigned short iflag,unsigned short cflag,unsigned short
lflag)
{
cmdSyntaxPtr pCM = (cmdSyntaxPtr) ct47;
pCM->cmd[1] = (unsigned char) iflag;
Error --->
pCM->cmd[2] = (unsigned char) (iflag >> 8);
pCM->cmd[3] = (unsigned char) cflag;
pCM->cmd[4] = (unsigned char) (cflag >> 8);
pCM->cmd[5] = (unsigned char) lflag;
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/char/rio/riocmd.c:453:RIOCommandRup:
ERROR:BUFFER:453:453:Array bounds error (off >= len)
((*HostP).Mapping[Rup], len = 16, off = sym_16858822, min(off-len) = 0)
HostP-p->RIOHosts, HostP->Name );
rio_dprintk (RIO_DEBUG_CMD, "CONTROL information: Rup
number 0x%x\n", rup);
if ( Rup >= (ushort)MAX_RUP ) {
rio_dprintk (RIO_DEBUG_CMD, "CONTROL
information: This is the RUP for RTA ``%s''\n",
Error --->
HostP->Mapping[Rup].Name);
} else
rio_dprintk (RIO_DEBUG_CMD, "CONTROL
information: This is the RUP for link ``%c'' of host ``%s''\n",
('A' + Rup - MAX_RUP),
HostP->Name);
---------------------------------------------------------
[BUG] what if the for loop above ends with i = 0?
/home/yxie/linux-2.5.53/sound/oss/sb_card.c:890:sb_isapnp_probe:
ERROR:BUFFER:890:890:Array bounds error (off < 0) (sb_isapnp_list[i],
max(off) = -1)
}
if(!first || !reverse)
i = isapnpjump;
first = 0;
Error --->
while(sb_isapnp_list[i].card_vendor != 0) {
static struct pci_bus *bus = NULL;
while ((bus = isapnp_find_card(
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/pcmcia/i82092.c:389:card_present:
ERROR:BUFFER:389:389:Array bounds error (off >= len) [RANGE]
(sockets[socketno], len = 4, off = sym_34899870, max(off-len) = 0)
unsigned int val;
enter("card_present");
if ((socketno<0) || (socketno > MAX_SOCKETS))
return 0;
Error --->
if (sockets[socketno].io_base == 0)
return 0;
---------------------------------------------------------
[BUG] domain of first dimension of sis300_filter2 is 10, but temp is set
to 18 above
/home/yxie/linux-2.5.53/drivers/video/sis/init301.c:8267:SetOEMYFilter:
ERROR:BUFFER:8267:8267:Array bounds error (off >= len)
(SiS300_Filter2[(int)temp], len = 10, off = 18, min(off-len) = 8)
if(temp1 & EnablePALN) temp = 18;
}
}
if(SiS_VBType & VB_SIS301BLV302BLV) {
for(i=0x35, j=0; i<=0x38; i++, j++) {
Error --->
SiS_SetReg1(Part2Port,i,SiS300_Filter2[temp][index][j]);
}
for(i=0x48; i<=0x4A; i++, j++) {
SiS_SetReg1(Part2Port,i,SiS300_Filter2[temp][index][j]);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/char/rio/rioboot.c:881:RIOBootComplete:
ERROR:BUFFER:881:881:Array bounds error (off >= len)
((*HostP).Mapping[Rup], len = 16, off = sym_13816603, min(off-len) = 0)
** chance to boot it.
*/
WWORD(HostP->LinkStrP[MyLink].WaitNoBoot, 30);
}
rio_dprintk (RIO_DEBUG_BOOT, "RTA %x not owned - suspend
booting down link %c on unit %x\n",
Error --->
RtaUniq, 'A' + MyLink, HostP->Mapping[Rup].RtaUniqueNum);
return TRUE;
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/message/fusion/mptbase.c:4939:procmpt_cr
eate: ERROR:BUFFER:4939:4939:Array bounds error (off >= len)
(mpt_ioc_proc_list[ii], len = 2, off = 2, min(off-len) = 0)
}
ent->read_proc =
mpt_ioc_proc_list[ii].f;
ent->data = ioc;
}
} else {
Error --->
printk(MYIOC_s_WARN_FMT "Could not create
/proc/mpt/%s subdir entry!\n",
ioc->name,
mpt_ioc_proc_list[ii].name);
}
ioc = mpt_adapter_find_next(ioc);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/isdn/i4l/isdn_common.c:1709:isdn_ctrl_io
ctl: ERROR:BUFFER:1709:1709:Array bounds error (off >= len)
(iocpar.bname[j], len = 20, off = 20, min(off-len) = 0)
int j = 0;
while (1) {
if ((ret =
verify_area(VERIFY_READ, p, 1)))
return ret;
Error --->
get_user(bname[j], p++);
switch (bname[j]) {
case '\0':
loop = 0;
---------------------------------------------------------
[BUG] need one more element in ZeroAddr
/home/yxie/linux-2.5.53/drivers/net/sk98lin/skxmac2.c:424:SkXmClrSrcChec
k: ERROR:BUFFER:424:424:Array bounds error (off >= len) (*pByte + 6, len
= 6, off = 6, min(off-len) = 0)
SK_IOC IoC, /* IO context */
int Port) /* The XMAC to handle with belongs to this Port
(MAC_1 + n) */
{
SK_U16 ZeroAddr[3] = {0x0000, 0x0000, 0x0000};
Error --->
XM_OUTHASH(IoC, Port, XM_SRC_CHK, &ZeroAddr);
} /* SkXmClrSrcCheck */
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/block/DAC960.c:1746:DAC960_V2_ReadContro
llerConfiguration: ERROR:BUFFER:1746:1746:Array bounds error (off >=
len) [RANGE]
((*Controller).LogicalDriveInitiallyAccessible[(int)LogicalDeviceNumber]
, len = 32, off = sym_30754894, max(off-len) = 0)
PhysicalDevice.LogicalUnit = NewLogicalDeviceInfo->LogicalUnit;
Controller->V2.LogicalDriveToVirtualDevice[LogicalDeviceNumber] =
PhysicalDevice;
if (NewLogicalDeviceInfo->LogicalDeviceState !=
DAC960_V2_LogicalDevice_Offline)
Error --->
Controller->LogicalDriveInitiallyAccessible[LogicalDeviceNumber]
= true;
LogicalDeviceInfo = (DAC960_V2_LogicalDeviceInfo_T *)
kmalloc(sizeof(DAC960_V2_LogicalDeviceInfo_T), GFP_ATOMIC);
if (LogicalDeviceInfo == NULL)
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/isdn/hardware/eicon/diva.c:573:diva_xdi_
display_adapter_features: ERROR:BUFFER:573:573:Array bounds error (off
>= len) [RANGE] (IoAdapters[card], len = 32, off = (sym_39527244, 1, -1,
1), max(off-len) = 0)
dword features;
if (!card || ((card - 1) > MAX_ADAPTER) || !IoAdapters[card -
1]) {
return;
}
card--;
Error --->
features = IoAdapters[card]->Properties.Features;
DBG_LOG(("FEATURES FOR ADAPTER: %d", card + 1))
DBG_LOG((" DI_FAX3 : %s",
---------------------------------------------------------
[BUG] card_idx checked against MAX_UNITS above, but didn't bail out on
error
/home/yxie/linux-2.5.53/drivers/net/3c59x.c:1343:vortex_probe1:
ERROR:BUFFER:1343:1343:Array bounds error (off >= len)
(hw_checksums[card_idx], len = 8, off = sym_20419785, min(off-len) = 0)
dev->open = vortex_open;
if (vp->full_bus_master_tx) {
dev->hard_start_xmit = boomerang_start_xmit;
/* Actually, it still should work with iommu. */
dev->features |= NETIF_F_SG;
Error --->
if (((hw_checksums[card_idx] == -1) && (vp->drv_flags &
HAS_HWCKSM)) ||
(hw_checksums[card_idx] == 1)) {
dev->features |= NETIF_F_IP_CSUM;
}
---------------------------------------------------------
[BUG] "old" might get garbage on the stack
/home/yxie/linux-2.5.53/fs/devfs/base.c:1179:_devfs_make_parent_for_leaf
: ERROR:BUFFER:1179:1179:Dereferencing uninitialized pointer (*old)
evaluated in the following state
de = _devfs_alloc_entry (name, next_pos, MODE_DIR);
devfs_get (de);
if ( !de || _devfs_append_entry (dir, de, FALSE, &old) )
{
devfs_put (de);
Error --->
if ( !old || !S_ISDIR (old->mode) )
{
devfs_put (old);
devfs_put (dir);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/hotplug/ibmphp_pci.c:1630:ibmphp_unconfi
gure_card: ERROR:BUFFER:1630:1630:Array bounds error (off >= len)
((*cur_func).mem[count], len = 6, off = 6, min(off-len) = 0)
debug ("io[%d] exists \n",
count);
if (the_end > 0)
ibmphp_remove_resource
(cur_func->io[count]);
cur_func->io[count] = NULL;
}
Error --->
if (cur_func->mem[count]) {
debug ("mem[%d] exists \n",
count);
if (the_end > 0)
ibmphp_remove_resource
(cur_func->mem[count]);
---------------------------------------------------------
[BUG] what if i = 255?
/home/yxie/linux-2.5.53/drivers/net/tg3.c:5857:tg3_read_partno:
ERROR:BUFFER:5857:5857:Array bounds error (off >= len) [RANGE]
(vpd_data[i + 2], len = 256, off = (sym_8147517, 1, 2, 1), max(off-len)
= 1)
for (i = 0; i < 256; ) {
unsigned char val = vpd_data[i];
int block_end;
if (val == 0x82 || val == 0x91) {
Error --->
i = (i + 3 +
(vpd_data[i + 1] +
(vpd_data[i + 2] << 8)));
continue;
---------------------------------------------------------
[BUG] should be >= TACH_SEST_LEN
/home/yxie/linux-2.5.53/drivers/scsi/cpqfcTSworker.c:557:cpqfcTS_WorkTas
k: ERROR:BUFFER:557:557:Array bounds error (off >= len) [RANGE]
((*(*fcChip).SEST).u[x_ID], len = 512, off = sym_18059005, max(off-len)
= 0)
// requested the abort.
// clear bit 31 (VALid), to invalidate & take control from TL
Error --->
fcChip->SEST->u[ x_ID].IWE.Hdr_Len &= 0x7FFFFFFF;
// examine and Tach's "Linked List" for IWEs that
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1166:delete_disk:
ERROR:BUFFER:1166:1166:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).valid[dd.cnum], len = 31, off = sym_14786346,
max(off-len) = 0)
return -EBUSY;
else {
/*
* Mark the container as no longer being valid.
*/
Error --->
fsa_dev_ptr->valid[dd.cnum] = 0;
fsa_dev_ptr->devname[dd.cnum][0] = '\0';
return 0;
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/isdn/hardware/eicon/diva.c:569:diva_xdi_
display_adapter_features: ERROR:BUFFER:569:569:Array bounds error (off
>= len) [RANGE] (IoAdapters[card - 1], len = 32, off = (sym_39527244, 1,
-1, 1), max(off-len) = 0)
}
void diva_xdi_display_adapter_features(int card)
{
dword features;
Error --->
if (!card || ((card - 1) > MAX_ADAPTER) || !IoAdapters[card -
1]) {
return;
}
card--;
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/block/DAC960.c:1742:DAC960_V2_ReadContro
llerConfiguration: ERROR:BUFFER:1742:1742:Array bounds error (off >=
len) [RANGE]
((*Controller).FW.V2.LogicalDriveToVirtualDevice[(int)LogicalDeviceNumbe
r], len = 32, off = sym_30754894, max(off-len) = 0)
NewLogicalDeviceInfo->DeviceBlockSizeInBytes);
PhysicalDevice.Controller = 0;
PhysicalDevice.Channel = NewLogicalDeviceInfo->Channel;
PhysicalDevice.TargetID = NewLogicalDeviceInfo->TargetID;
PhysicalDevice.LogicalUnit = NewLogicalDeviceInfo->LogicalUnit;
Error --->
Controller->V2.LogicalDriveToVirtualDevice[LogicalDeviceNumber] =
PhysicalDevice;
if (NewLogicalDeviceInfo->LogicalDeviceState !=
DAC960_V2_LogicalDevice_Offline)
---------------------------------------------------------
[BUG] i or count?
/home/yxie/linux-2.5.53/drivers/hotplug/ibmphp_pci.c:1624:ibmphp_unconfi
gure_card: ERROR:BUFFER:1624:1624:Array bounds error (off >= len)
((*cur_func).io[count], len = 6, off = 6, min(off-len) = 0)
} else {
count = 6;
}
for (i = 0; i < count; i++) {
Error --->
if (cur_func->io[count]) {
debug ("io[%d] exists \n",
count);
if (the_end > 0)
ibmphp_remove_resource
(cur_func->io[count]);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/arch/i386/pci/numa.c:53:__pci_conf1_mq_write:
ERROR:BUFFER:53:53:Array bounds error (off >= len) [RANGE]
(mp_bus_id_to_local[bus], len = 32, off = sym_42073848, max(off-len) =
223)
if ((bus > 255) || (dev > 31) || (fn > 7) || (reg > 255))
return -EINVAL;
spin_lock_irqsave(&pci_config_lock, flags);
Error --->
outl_quad(PCI_CONF1_MQ_ADDRESS(bus, dev, fn, reg), 0xCF8,
BUS2QUAD(bus));
switch (len) {
case 1:
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/input/keyboard/sunkbd.c:271:sunkbd_conne
ct: ERROR:BUFFER:271:271:Array bounds error (off >= len) [RANGE]
((*sunkbd).keycode[i], len = 128, off = sym_44382539, max(off-len) =
126)
sprintf(sunkbd->name, "Sun Type %d keyboard", sunkbd->type);
memcpy(sunkbd->keycode, sunkbd_keycode,
sizeof(sunkbd->keycode));
for (i = 0; i < 255; i++)
Error --->
set_bit(sunkbd->keycode[i], sunkbd->dev.keybit);
clear_bit(0, sunkbd->dev.keybit);
sprintf(sunkbd->name, "%s/input", serio->phys);
---------------------------------------------------------
[BUG] length of vendorId is 8
/home/yxie/linux-2.5.53/drivers/scsi/psi240i.c:334:Irq_Handler:
ERROR:BUFFER:334:334:Array bounds error (off >= len)
((*pinquiryData).VendorId[z], len = 8, off = 8, min(off-len) = 0)
pinquiryData->AdditionalLength = 35 - 4;
// Fill in vendor identification fields.
for ( z = 0; z < 20; z += 2 )
{
Error --->
pinquiryData->VendorId[z]
= ((UCHAR *)identifyData.ModelNumber)[z + 1];
pinquiryData->VendorId[z + 1] =
((UCHAR *)identifyData.ModelNumber)[z];
}
---------------------------------------------------------
[BUG] temp too big; len of the array is just 10
/home/yxie/linux-2.5.53/drivers/video/sis/init301.c:8274:SetOEMYFilter:
ERROR:BUFFER:8274:8274:Array bounds error (off >= len)
(SiS300_Filter1[(int)temp], len = 10, off = 18, min(off-len) = 8)
for(i=0x48; i<=0x4A; i++, j++) {
SiS_SetReg1(Part2Port,i,SiS300_Filter2[temp][index][j]);
}
} else {
for(i=0x35, j=0; i<=0x38; i++, j++) {
Error --->
SiS_SetReg1(Part2Port,i,SiS300_Filter1[temp][index][j]);
}
}
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/char/ip2/i2cmd.c:207:i2cmdUnixFlags:
ERROR:BUFFER:207:207:Array bounds error (off >= len) ((*pCM).cmd[4], len
= 2, off = 4, min(off-len) = 2)
cmdSyntaxPtr pCM = (cmdSyntaxPtr) ct47;
pCM->cmd[1] = (unsigned char) iflag;
pCM->cmd[2] = (unsigned char) (iflag >> 8);
pCM->cmd[3] = (unsigned char) cflag;
Error --->
pCM->cmd[4] = (unsigned char) (cflag >> 8);
pCM->cmd[5] = (unsigned char) lflag;
pCM->cmd[6] = (unsigned char) (lflag >> 8);
return pCM;
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1141:force_delete_
disk: ERROR:BUFFER:1141:1141:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).valid[dd.cnum], len = 31, off = sym_14786353,
max(off-len) = 0)
*/
fsa_dev_ptr->deleted[dd.cnum] = 1;
/*
* Mark the container as no longer valid
*/
Error --->
fsa_dev_ptr->valid[dd.cnum] = 0;
return 0;
}
---------------------------------------------------------
[BUG] [SEC] off-by-one
/home/yxie/linux-2.5.53/drivers/char/riscom8.c:1093:rc_open:
ERROR:BUFFER:1093:1093:Array bounds error (off >= len) [RANGE]
(rc_board[board], len = 4, off = sym_14830233, max(off-len) = 0)
struct riscom_port * port;
struct riscom_board * bp;
unsigned long flags;
board = RC_BOARD(minor(tty->device));
Error --->
if (board > RC_NBOARD || !(rc_board[board].flags &
RC_BOARD_PRESENT))
return -ENODEV;
bp = &rc_board[board];
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/net/irda/qos.c:728:irlap_max_line_capacity:
ERROR:BUFFER:728:728:Array bounds error (off >= len) [RANGE]
(max_line_capacities[i][j], len = 4, off = sym_3973899, max(off-len) =
0)
j = value_index(max_turn_time, max_turn_times, 4);
ASSERT(((i >=0) && (i <=10)), return 0;);
ASSERT(((j >=0) && (j <=4)), return 0;);
Error --->
line_capacity = max_line_capacities[i][j];
IRDA_DEBUG(2, "%s(), line capacity=%d bytes\n",
__FUNCTION__, line_capacity);
---------------------------------------------------------
[BUG] i = 128 j = 10, sizeof(start_code) = 138, not a multiple of 32
/home/yxie/linux-2.5.53/drivers/net/eexpress.c:1470:eexp_hw_init586:
ERROR:BUFFER:1470:1470:Array bounds error (off >= len) (start_code[i + j
/ 2], len = 69, off = 69, min(off-len) = 0)
for (i = 0; i < (sizeof(start_code)); i+=32) {
int j;
outw(i, ioaddr + SM_PTR);
for (j = 0; j < 16; j+=2)
Error --->
outw(start_code[(i+j)/2],
ioaddr+0x4000+j);
for (j = 0; j < 16; j+=2)
outw(start_code[(i+j+16)/2],
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/net/irda/smc-ircc.c:524:ircc_open:
ERROR:BUFFER:524:524:Array bounds error (off >= len) [RANGE]
(dev_self[(int)dev_count], len = 2, off = sym_31672470, max(off-len) =
0)
memset(self->rx_buff.head, 0, self->rx_buff.truesize);
memset(self->tx_buff.head, 0, self->tx_buff.truesize);
/* Need to store self somewhere */
Error --->
dev_self[dev_count++] = self;
/* Steal the network device from irport */
self->netdev = irport->netdev;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/net/core/rtnetlink.c:311:rtnetlink_rcv_msg:
ERROR:BUFFER:311:311:Array bounds error (off >= len) [RANGE]
(rtnetlink_links[family], len = 32, off = sym_38788183, max(off-len) =
0)
if (family > NPROTO) {
*errp = -EAFNOSUPPORT;
return -1;
}
Error --->
link_tab = rtnetlink_links[family];
if (link_tab == NULL)
link_tab = rtnetlink_links[PF_UNSPEC];
link = &link_tab[type];
---------------------------------------------------------
[BUG] missing comma in definition of split_status_strings
/home/yxie/linux-2.5.53/drivers/scsi/aic7xxx/aic79xx_pci.c:808:ahd_pci_s
plit_intr: ERROR:BUFFER:808:808:Array bounds error (off >= len) [RANGE]
(split_status_strings[bit], len = 7, off = sym_42005934, max(off-len) =
0)
for (bit = 0; bit < 8; bit++) {
if ((split_status[i] & (0x1 << bit)) != 0) {
static const char *s;
Error --->
s = split_status_strings[bit];
printf(s, ahd_name(ahd),
split_status_source[i]);
}
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/char/sx.c:1694:sx_fw_ioctl:
ERROR:BUFFER:1694:1694:Array bounds error (off >= len) [RANGE]
(boards[arg], len = 4, off = sym_36474475, max(off-len) = 0)
switch (cmd) {
case SXIO_SET_BOARD:
sx_dprintk (SX_DEBUG_FIRMWARE, "set board to %ld\n",
arg);
if (arg > SX_NBOARDS) return -EIO;
sx_dprintk (SX_DEBUG_FIRMWARE, "not out of range\n");
Error --->
if (!(boards[arg].flags & SX_BOARD_PRESENT)) return
-EIO;
sx_dprintk (SX_DEBUG_FIRMWARE, ".. and present!\n");
board = &boards[arg];
break;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/media/dvb/av7110/av7110.c:3253:StopHWFil
ter: ERROR:BUFFER:3253:3253:Array bounds error (off >= len) [RANGE]
((*av7110).handle2filter[(int)handle], len = 32, off = sym_16476028,
max(off-len) = 0)
handle);
dprintk("dvb: filter type = %d\n", dvbdmxfilter->type);
return 0;
}
Error --->
av7110->handle2filter[handle]=NULL;
buf[0] = (COMTYPE_PID_FILTER << 8) + DelPIDFilter;
buf[1] = 1;
---------------------------------------------------------
[BUG] might have forgotten to >>4
/home/yxie/linux-2.5.53/drivers/message/i2o/i2o_block.c:1518:i2ob_del_de
vice: ERROR:BUFFER:1518:1518:Array bounds error (off >= len)
(i2ob_media_change_flag[unit], len = 16, off = 16, min(off-len) = 0)
/*
* Do we need this?
* The media didn't really change...the device is just gone
*/
Error --->
i2ob_media_change_flag[unit] = 1;
i2ob_dev_count--;
}
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/message/i2o/i2o_block.c:1256:i2ob_init_i
op: ERROR:BUFFER:1256:1256:Array bounds error (off >= len)
((*i2ob_queues[unit]).request_queue[i], len = 8, off = 8, min(off-len) =
0)
i2ob_queues[unit]->request_queue[i].next =
&i2ob_queues[unit]->request_queue[i+1];
i2ob_queues[unit]->request_queue[i].num = i;
}
/* Queue is MAX_I2OB + 1... */
Error --->
i2ob_queues[unit]->request_queue[i].next = NULL;
i2ob_queues[unit]->i2ob_qhead =
&i2ob_queues[unit]->request_queue[0];
atomic_set(&i2ob_queues[unit]->queue_depth, 0);
---------------------------------------------------------
[BUG] possible, but not sure
/home/yxie/linux-2.5.53/drivers/usb/host/ohci-hub.c:145:ohci_hub_descrip
tor: ERROR:BUFFER:145:145:Array bounds error (off >= len)
((*desc).DeviceRemovable[3], len = 3, off = 3, min(off-len) = 0)
/* two bitmaps: ports removable, and usb 1.0 legacy
PortPwrCtrlMask */
rh = roothub_b (ohci);
desc->bitmap [0] = rh & RH_B_DR;
if (ports > 7) {
desc->bitmap [1] = (rh & RH_B_DR) >> 8;
Error --->
desc->bitmap [2] = desc->bitmap [3] = 0xff;
} else
desc->bitmap [1] = 0xff;
}
---------------------------------------------------------
[BUG] data[15]?
/home/yxie/linux-2.5.53/drivers/message/i2o/i2o_block.c:733:i2ob_evt:
ERROR:BUFFER:733:733:Array bounds error (off >= len)
((*evt_local).data[16], len = 16, off = 16, min(off-len) = 0)
*/
case I2O_EVT_IND_BSA_SCSI_SMART:
{
char buf[16];
printk(KERN_INFO "I2O Block: %s received
a SCSI SMART Event\n",i2ob_dev[unit].i2odev->dev_name);
Error --->
evt_local->data[16]='\0';
sprintf(buf,"%s",&evt_local->data[0]);
printk(KERN_INFO " Disk
Serial#:%s\n",buf);
printk(KERN_INFO " ASC 0x%02x
\n",evt_local->ASC);
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1160:delete_disk:
ERROR:BUFFER:1160:1160:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).locked[dd.cnum], len = 31, off = sym_14786346,
max(off-len) = 0)
if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
return -EINVAL;
/*
* If the container is locked, it can not be deleted by the
API.
*/
Error --->
if (fsa_dev_ptr->locked[dd.cnum])
return -EBUSY;
else {
/*
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/hotplug/ibmphp_pci.c:1636:ibmphp_unconfi
gure_card: ERROR:BUFFER:1636:1636:Array bounds error (off >= len)
((*cur_func).pfmem[count], len = 6, off = 6, min(off-len) = 0)
debug ("mem[%d] exists \n",
count);
if (the_end > 0)
ibmphp_remove_resource
(cur_func->mem[count]);
cur_func->mem[count] = NULL;
}
Error --->
if (cur_func->pfmem[count]) {
debug ("pfmem[%d] exists \n",
count);
if (the_end > 0)
ibmphp_remove_resource
(cur_func->pfmem[count]);
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/block/DAC960.c:1751:DAC960_V2_ReadContro
llerConfiguration: ERROR:BUFFER:1751:1751:Array bounds error (off >=
len) [RANGE]
((*Controller).FW.V2.LogicalDeviceInformation[(int)LogicalDeviceNumber],
len = 32, off = sym_30754894, max(off-len) = 0)
Controller->LogicalDriveInitiallyAccessible[LogicalDeviceNumber]
= true;
LogicalDeviceInfo = (DAC960_V2_LogicalDeviceInfo_T *)
kmalloc(sizeof(DAC960_V2_LogicalDeviceInfo_T), GFP_ATOMIC);
if (LogicalDeviceInfo == NULL)
return DAC960_Failure(Controller, "LOGICAL DEVICE ALLOCATION");
Error --->
Controller->V2.LogicalDeviceInformation[LogicalDeviceNumber] =
LogicalDeviceInfo;
memcpy(LogicalDeviceInfo, NewLogicalDeviceInfo,
sizeof(DAC960_V2_LogicalDeviceInfo_T));
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/char/specialix.c:2367:specialix_init:
ERROR:BUFFER:2367:2367:Array bounds error (off >= len) (sx_board[i], len
= 8, off = 8, min(off-len) = 0)
if (pci_present()) {
struct pci_dev *pdev = NULL;
i=0;
while (i <= SX_NBOARD) {
Error --->
if (sx_board[i].flags & SX_BOARD_PRESENT) {
i++;
continue;
}
---------------------------------------------------------
[BUG] what if level < 0?
/home/yxie/linux-2.5.53/fs/xfs/xfs_bmap_btree.c:1364:xfs_bmbt_lshift:
ERROR:BUFFER:1364:1364:Array bounds error (off < 0)
((*cur).bc_ptrs[level], max(off) = -1)
}
if ((error = xfs_bmbt_updkey(cur, rkp, level + 1))) {
XFS_BMBT_TRACE_CURSOR(cur, ERROR);
return error;
}
Error --->
cur->bc_ptrs[level]--;
XFS_BMBT_TRACE_CURSOR(cur, EXIT);
*stat = 1;
return 0;
---------------------------------------------------------
[BUG] macro misuse
/home/yxie/linux-2.5.53/arch/i386/pci/numa.c:25:__pci_conf1_mq_read:
ERROR:BUFFER:25:25:Array bounds error (off >= len) [RANGE]
(mp_bus_id_to_local[bus], len = 32, off = sym_42073871, max(off-len) =
223)
if (!value || (bus > 255) || (dev > 31) || (fn > 7) || (reg >
255))
return -EINVAL;
spin_lock_irqsave(&pci_config_lock, flags);
Error --->
outl_quad(PCI_CONF1_MQ_ADDRESS(bus, dev, fn, reg), 0xCF8,
BUS2QUAD(bus));
switch (len) {
case 1:
---------------------------------------------------------
[BUG] suspicious
/home/yxie/linux-2.5.53/drivers/char/ip2/i2cmd.c:261:i2cmdBaudDef:
ERROR:BUFFER:261:261:Array bounds error (off >= len) ((*pCM).cmd[2], len
= 2, off = 2, min(off-len) = 0)
case 2:
pCM = (cmdSyntaxPtr) ct55;
break;
}
pCM->cmd[1] = (unsigned char) rate;
Error --->
pCM->cmd[2] = (unsigned char) (rate >> 8);
return pCM;
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/net/tokenring/3c359.c:753:xl_open_hw:
ERROR:BUFFER:753:753:Array bounds error (off >= len)
((*xl_priv).xl_laa[i], len = 6, off = sym_42195646, min(off-len) = 4)
*/
if (xl_priv->xl_laa[0]) { /* If using a LAA address */
for (i=10;i<16;i++) {
writel( (MEM_BYTE_WRITE | 0xD0000 |
xl_priv->srb) + i, xl_mmio + MMIO_MAC_ACCESS_CMD) ;
Error --->
writeb(xl_priv->xl_laa[i],xl_mmio +
MMIO_MACDATA) ;
}
memcpy(dev->dev_addr,xl_priv->xl_laa,dev->addr_len) ;
} else { /* Regular hardware address */
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/media/video/bttv-cards.c:2094:hauppauge_
eeprom: ERROR:BUFFER:2094:2094:Array bounds error (off >= len)
(hauppauge_tuner[tuner], len = 51, off = sym_16089004, min(off-len) = 0)
btv->tuner_type = hauppauge_tuner[tuner].id;
if (radio)
btv->has_radio = 1;
if (bttv_verbose)
Error --->
printk(KERN_INFO "bttv%d: Hauppauge eeprom: model=%d, "
"tuner=%s (%d), radio=%s\n",
btv->nr, model, hauppauge_tuner[tuner].name,
btv->tuner_type, radio ? "yes" : "no");
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/char/specialix.c:1459:sx_open:
ERROR:BUFFER:1459:1459:Array bounds error (off >= len) [RANGE]
(sx_board[board], len = 8, off = sym_29947032, max(off-len) = 0)
struct specialix_board * bp;
unsigned long flags;
board = SX_BOARD(minor(tty->device));
Error --->
if (board > SX_NBOARD || !(sx_board[board].flags &
SX_BOARD_PRESENT))
return -ENODEV;
bp = &sx_board[board];
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/net/irda/qos.c:728:irlap_max_line_capacity:
ERROR:BUFFER:728:728:Array bounds error (off >= len) [RANGE]
(max_line_capacities[i], len = 10, off = sym_3973897, max(off-len) = 0)
j = value_index(max_turn_time, max_turn_times, 4);
ASSERT(((i >=0) && (i <=10)), return 0;);
ASSERT(((j >=0) && (j <=4)), return 0;);
Error --->
line_capacity = max_line_capacities[i][j];
IRDA_DEBUG(2, "%s(), line capacity=%d bytes\n",
__FUNCTION__, line_capacity);
---------------------------------------------------------
[BUG] should panic after printk
/home/yxie/linux-2.5.53/drivers/scsi/qlogicfc.c:926:isp2x00_make_portdb:
ERROR:BUFFER:926:926:Array bounds error (off >= len)
((*hostdata).port_db[j], len = 256, off = 256, min(off-len) = 0)
break;
}
}
if (j == QLOGICFC_MAX_ID + 1)
printk("qlogicfc%d : Too many scsi
devices, no more room in port map.\n", hostdata->host_id);
Error --->
if (!hostdata->port_db[j].wwn) {
hostdata->port_db[j].loop_id =
temp[i].loop_id;
hostdata->port_db[j].wwn = temp[i].wwn;
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/arch/i386/kernel/cpu/cpufreq/powernow-k6.c:202:p
owernow_k6_setpolicy: ERROR:BUFFER:202:202:Array bounds error (off >=
len) (clock_ratio[i], len = 8, off = 8, min(off-len) = 0)
break;
default:
return -EINVAL;
}
Error --->
if (clock_ratio[i] > max_multiplier)
return -EINVAL;
powernow_k6_set_state(j);
---------------------------------------------------------
[BUG] suspicious, since sizeof cmd is 2 (not 0 or 1, which is commonly
used for buffers)
/home/yxie/linux-2.5.53/drivers/char/ip2/i2cmd.c:209:i2cmdUnixFlags:
ERROR:BUFFER:209:209:Array bounds error (off >= len) ((*pCM).cmd[6], len
= 2, off = 6, min(off-len) = 4)
pCM->cmd[1] = (unsigned char) iflag;
pCM->cmd[2] = (unsigned char) (iflag >> 8);
pCM->cmd[3] = (unsigned char) cflag;
pCM->cmd[4] = (unsigned char) (cflag >> 8);
pCM->cmd[5] = (unsigned char) lflag;
Error --->
pCM->cmd[6] = (unsigned char) (lflag >> 8);
return pCM;
}
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/net/wireless/orinoco.c:3063:orinoco_ioct
l_getrate: ERROR:BUFFER:3063:3063:Array bounds error (off >= len)
(bitrate_table[ratemode], len = 8, off = sym_45223018, min(off-len) = 1)
ratemode = priv->bitratemode;
if ( (ratemode < 0) || (ratemode > BITRATE_TABLE_SIZE) )
BUG();
Error --->
rrq->value = bitrate_table[ratemode].bitrate * 100000;
rrq->fixed = ! bitrate_table[ratemode].automatic;
rrq->disabled = 0;
---------------------------------------------------------
[BUG] sizeof(start_code) = 138
/home/yxie/linux-2.5.53/drivers/net/eexpress.c:1473:eexp_hw_init586:
ERROR:BUFFER:1473:1473:Array bounds error (off >= len) (start_code[i + j
+ 16 / 2], len = 69, off = 72, min(off-len) = 3)
outw(i, ioaddr + SM_PTR);
for (j = 0; j < 16; j+=2)
outw(start_code[(i+j)/2],
ioaddr+0x4000+j);
for (j = 0; j < 16; j+=2)
Error --->
outw(start_code[(i+j+16)/2],
ioaddr+0x8000+j);
}
---------------------------------------------------------
[BUG] suspicious
/home/yxie/linux-2.5.53/drivers/video/sis/init.c:3956:SiS_GetPanelID:
ERROR:BUFFER:3956:3956:Array bounds error (off >= len)
(PanelTypeTable[(int)tempbx], len = 16, off = 24, min(off-len) = 8)
return 0;
}
}
tempbx <<= 1;
Error --->
tempbx = PanelTypeTable[tempbx];
tempbx |= LCDSync;
temp = tempbx & 0x00FF;
SiS_SetReg1(SiS_P3d4,0x36,temp);
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/net/hamradio/scc.c:1769:scc_net_ioctl:
ERROR:BUFFER:1769:1769:Array bounds error (off >= len) [RANGE]
(Ivec[hwcfg.irq], len = 224, off = sym_47606686, max(off-len) = 0)
if (hwcfg.irq == 2) hwcfg.irq = 9;
if (hwcfg.irq <0 || hwcfg.irq > NR_IRQS)
return -EINVAL;
Error --->
if (!Ivec[hwcfg.irq].used && hwcfg.irq)
{
if (request_irq(hwcfg.irq, scc_isr,
SA_INTERRUPT, "AX.25 SCC", NULL))
printk(KERN_WARNING "z8530drv:
warning, cannot get IRQ %d\n", hwcfg.irq);
---------------------------------------------------------
[BUG] length of VendorId is only 8
/home/yxie/linux-2.5.53/drivers/scsi/psi240i.c:335:Irq_Handler:
ERROR:BUFFER:335:335:Array bounds error (off >= len)
((*pinquiryData).VendorId[z + 1], len = 8, off = 9, min(off-len) = 1)
// Fill in vendor identification fields.
for ( z = 0; z < 20; z += 2 )
{
pinquiryData->VendorId[z]
= ((UCHAR *)identifyData.ModelNumber)[z + 1];
Error --->
pinquiryData->VendorId[z + 1] =
((UCHAR *)identifyData.ModelNumber)[z];
}
// Initialize unused portion of product
id.
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/sound/oss/dev_table.c:42:sound_install_audiodrv:
ERROR:BUFFER:42:42:Array bounds error (off >= len) [RANGE]
(sound_mem_blocks[sound_nblocks], len = 1024, off = (sym_612015, 1, 1,
1), max(off-len) = 0)
d = (struct audio_driver *) (sound_mem_blocks[sound_nblocks] =
vmalloc(sizeof(struct audio_driver)));
if (sound_nblocks < 1024)
sound_nblocks++;
Error --->
op = (struct audio_operations *)
(sound_mem_blocks[sound_nblocks] = vmalloc(sizeof(struct
audio_operations)));
if (sound_nblocks < 1024)
sound_nblocks++;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1107:query_disk:
ERROR:BUFFER:1107:1107:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).locked[qd.cnum], len = 31, off = sym_14786361,
max(off-len) = 0)
qd.lun = CONTAINER_TO_LUN(qd.cnum);
}
else return -EINVAL;
qd.valid = fsa_dev_ptr->valid[qd.cnum];
Error --->
qd.locked = fsa_dev_ptr->locked[qd.cnum];
qd.deleted = fsa_dev_ptr->deleted[qd.cnum];
if (fsa_dev_ptr->devname[qd.cnum][0] == '\0')
---------------------------------------------------------
[BUG] missing comma in rq_flags
/home/yxie/linux-2.5.53/drivers/block/ll_rw_blk.c:685:blk_dump_rq_flags:
ERROR:BUFFER:685:685:Array bounds error (off >= len) (rq_flags[bit], len
= 17, off = 17, min(off-len) = 0)
printk("%s: dev %s: flags = ", msg,
rq->rq_disk ? rq->rq_disk->disk_name : "?");
bit = 0;
do {
if (rq->flags & (1 << bit))
Error --->
printk("%s ", rq_flags[bit]);
bit++;
} while (bit < __REQ_NR_BITS);
---------------------------------------------------------
[BUG] suspicious, but probably not bug
/home/yxie/linux-2.5.53/drivers/char/ip2/i2cmd.c:206:i2cmdUnixFlags:
ERROR:BUFFER:206:206:Array bounds error (off >= len) ((*pCM).cmd[3], len
= 2, off = 3, min(off-len) = 1)
{
cmdSyntaxPtr pCM = (cmdSyntaxPtr) ct47;
pCM->cmd[1] = (unsigned char) iflag;
pCM->cmd[2] = (unsigned char) (iflag >> 8);
Error --->
pCM->cmd[3] = (unsigned char) cflag;
pCM->cmd[4] = (unsigned char) (cflag >> 8);
pCM->cmd[5] = (unsigned char) lflag;
pCM->cmd[6] = (unsigned char) (lflag >> 8);
---------------------------------------------------------
[BUG] [SEC]? off-by-one
/home/yxie/linux-2.5.53/net/bluetooth/af_bluetooth.c:99:bt_sock_create:
ERROR:BUFFER:99:99:Array bounds error (off >= len) [RANGE]
(bt_proto[proto], len = 5, off = sym_686294, max(off-len) = 0)
{
if (proto > BT_MAX_PROTO)
return -EINVAL;
#if defined(CONFIG_KMOD)
Error --->
if (!bt_proto[proto]) {
char module_name[30];
sprintf(module_name, "bt-proto-%d", proto);
request_module(module_name);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/ide/ide-probe.c:1055:alloc_disks:
ERROR:BUFFER:1055:1055:Array bounds error (off < 0) [RANGE]
(disks[unit], min(off) = -1)
}
return 0;
Enomem:
printk(KERN_WARNING "(ide::init_gendisk) Out of memory\n");
while (unit--)
Error --->
put_disk(disks[unit]);
return -ENOMEM;
}
---------------------------------------------------------
[BUG] maybe. (i == 255)
/home/yxie/linux-2.5.53/drivers/net/tg3.c:5857:tg3_read_partno:
ERROR:BUFFER:5857:5857:Array bounds error (off >= len) [RANGE]
(vpd_data[i + 1], len = 256, off = (sym_8147517, 1, 1, 1), max(off-len)
= 0)
for (i = 0; i < 256; ) {
unsigned char val = vpd_data[i];
int block_end;
if (val == 0x82 || val == 0x91) {
Error --->
i = (i + 3 +
(vpd_data[i + 1] +
(vpd_data[i + 2] << 8)));
continue;
---------------------------------------------------------
[BUG] max = -1
/home/yxie/linux-2.5.53/drivers/media/video/msp3400.c:873:msp3400c_threa
d: ERROR:BUFFER:873:873:Array bounds error (off < 0)
(carrier_detect_main[max1], max(off) = -1)
val2 = val, max2 = this;
dprintk("msp3400: carrier2 val: %5d / %s\n",
val,cd[this].name);
}
/* programm the msp3400 according to the results */
Error --->
msp->main = carrier_detect_main[max1].cdo;
switch (max1) {
case 1: /* 5.5 */
if (max2 == 0) {
---------------------------------------------------------
[BUG] bar == 4? (from the loop above)
/home/yxie/linux-2.5.53/drivers/isdn/hardware/eicon/os_4bri.c:268:diva_4
bri_init_card: ERROR:BUFFER:268:268:Array bounds error (off >= len)
((*a).slave_adapters[bar], len = 3, off = (sym_17752159, 1, 1, 1),
min(off-len) = 1)
*/
quadro_list =
(PADAPTER_LIST_ENTRY) diva_os_malloc(0,
sizeof(*quadro_list));
if (!(a->slave_list = quadro_list)) {
for (i = 0; i < (tasks - 1); i++) {
Error --->
diva_os_free(0, a->slave_adapters[bar]);
a->slave_adapters[bar] = 0;
}
diva_4bri_cleanup_adapter(a);
---------------------------------------------------------
[BUG] base = &buf[4]
/home/yxie/linux-2.5.53/drivers/cdrom/cdrom.c:1170:dvd_read_physical:
ERROR:BUFFER:1170:1170:Array bounds error (off >= len) (*base + 16, len
= 20, off = 20, min(off-len) = 0)
layer->track_density = base[3] & 0xf;
layer->linear_density = base[3] >> 4;
layer->start_sector = base[5] << 16 | base[6] << 8 | base[7];
layer->end_sector = base[9] << 16 | base[10] << 8 | base[11];
layer->end_sector_l0 = base[13] << 16 | base[14] << 8 |
base[15];
Error --->
layer->bca = base[16] >> 7;
return 0;
}
---------------------------------------------------------
[BUG] should be cloop >> 2 in the index
/home/yxie/linux-2.5.53/drivers/hotplug/cpqphp_pci.c:1194:cpqhp_configur
e_board: ERROR:BUFFER:1194:1194:Array bounds error (off >= len)
((*func).config_space[cloop], len = 32, off = 32, min(off-len) = 0)
pci_bus_read_config_dword (pci_bus,
devfn, cloop, &temp);
if (temp != func->config_space[cloop >>
2]) {
dbg("Config space compare
failure!!! offset = %x\n", cloop);
dbg("bus = %x, device = %x,
function = %x\n", func->bus, func->device, func->function);
Error --->
dbg("temp = %x, config space =
%x\n\n", temp, func->config_space[cloop]);
return 1;
}
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/media/radio/radio-terratec.c:147:tt_setf
req: ERROR:BUFFER:147:147:Array bounds error (off < 0) (buffer[i],
max(off) = -1)
{
if (rest%temp == rest)
buffer[i] = 0;
else
{
Error --->
buffer[i] = 1;
rest = rest-temp;
}
i--;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1137:force_delete_
disk: ERROR:BUFFER:1137:1137:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).deleted[dd.cnum], len = 31, off = sym_14786353,
max(off-len) = 0)
if (dd.cnum > MAXIMUM_NUM_CONTAINERS)
return -EINVAL;
/*
* Mark this container as being deleted.
*/
Error --->
fsa_dev_ptr->deleted[dd.cnum] = 1;
/*
* Mark the container as no longer valid
*/
---------------------------------------------------------
[BUG] divide by zero
/home/yxie/linux-2.5.53/drivers/char/ftape/lowlevel/ftape-read.c:608:fta
pe_decode_header_segment: ERROR:DIVZERO:608:608:ftape_segments_per_head
/ ftape_segments_per_cylinder
ft_tracks_per_tape,
((ft_segments_per_track * ft_tracks_per_tape -1) /
ftape_segments_per_head ),
(ftape_segments_per_head /
ftape_segments_per_cylinder - 1 ),
Error --->
(ftape_segments_per_cylinder *
FT_SECTORS_PER_SEGMENT));
TRACE_EXIT -EIO;
}
ftape_extract_bad_sector_map(address);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/fs/cifs/cifssmb.c:233:CIFSSMBLogoff:
ERROR:BUFFER:233:233:Dereferencing uninitialized pointer (*pSMB)
evaluated in the following state
if (atomic_read(&ses->inUse) > 0) {
up(&ses->sesSem);
return -EBUSY;
}
if(ses->secMode & (SECMODE_SIGN_REQUIRED | SECMODE_SIGN_ENABLED))
Error --->
pSMB->hdr.Flags2 |= SMBFLG2_SECURITY_SIGNATURE;
rc = smb_init(SMB_COM_LOGOFF_ANDX, 2, 0 /* no tcon anymore */ ,
(void **) &pSMB, (void **) &smb_buffer_response);
if (rc) {
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1108:query_disk:
ERROR:BUFFER:1108:1108:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).deleted[qd.cnum], len = 31, off = sym_14786361,
max(off-len) = 0)
}
else return -EINVAL;
qd.valid = fsa_dev_ptr->valid[qd.cnum];
qd.locked = fsa_dev_ptr->locked[qd.cnum];
Error --->
qd.deleted = fsa_dev_ptr->deleted[qd.cnum];
if (fsa_dev_ptr->devname[qd.cnum][0] == '\0')
qd.unmapped = 1;
---------------------------------------------------------
[BUG] check default branch above
/home/yxie/linux-2.5.53/drivers/video/sis/sis_main.c:398:sisfb_validate_
mode: ERROR:BUFFER:398:398:Array bounds error (off < 0)
(sisbios_mode[sisfb_mode_idx], max(off) = -1)
}
break;
}
if(ivideo.chip < SIS_315H) {
Error --->
if(sisbios_mode[sisfb_mode_idx].xres > 1920)
sisfb_mode_idx = -1;
}
/* TW: TODO: Validate modes available on either 300 or 310/325
series only */
---------------------------------------------------------
[BUG] minor (recommend inserting break in the true branch of the if
statement)
/home/yxie/linux-2.5.53/drivers/video/sis/init301.c:2053:SiS_SetCRT2FIFO
_310: ERROR:BUFFER:2053:2053:Array bounds error (off >= len) [RANGE]
(CombCode[(int)temp3 + 1], len = 16, off = (sym_11686423, 1, 3, 1),
max(off-len) = 0)
/* get DRAM latency */
tempcl = (SiS_GetReg1(SiS_P3c4,0x17) >> 3) & 0x7; /* SR17[5:3]
DRAM Queue depth */
tempch = (SiS_GetReg1(SiS_P3c4,0x17) >> 6) & 0x3; /* SR17[7:6]
DRAM Grant length */
for (temp3 = 0; temp3 < 16; temp3 += 2) {
Error --->
if ((CombCode[temp3] == tempcl) && (CombCode[temp3+1] == tempch)) {
temp3 = CRT2ThLow[temp3 >> 1];
}
}
---------------------------------------------------------
[BUG] should check bus against 31
/home/yxie/linux-2.5.53/arch/i386/pci/numa.c:25:__pci_conf1_mq_read:
ERROR:BUFFER:25:25:Array bounds error (off >= len) [RANGE]
(mp_bus_id_to_node[bus], len = 32, off = sym_42073871, max(off-len) =
223)
if (!value || (bus > 255) || (dev > 31) || (fn > 7) || (reg >
255))
return -EINVAL;
spin_lock_irqsave(&pci_config_lock, flags);
Error --->
outl_quad(PCI_CONF1_MQ_ADDRESS(bus, dev, fn, reg), 0xCF8,
BUS2QUAD(bus));
switch (len) {
case 1:
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/dpt_i2o.c:1482:adpt_i2o_parse_lct:
ERROR:BUFFER:1482:1482:Array bounds error (off >= len) [RANGE]
((*pHba).channel[(int)bus_no].device[(int)scsi_id], len = 128, off =
sym_37752142, max(off-len) = 0)
continue;
}
if(scsi_id > MAX_ID){
continue;
}
Error --->
if(
pHba->channel[bus_no].device[scsi_id] == NULL){
pDev = kmalloc(sizeof(struct
adpt_device),GFP_KERNEL);
if(pDev == NULL) {
return -ENOMEM;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/char/rio/rioroute.c:769:RIOIsolate:
ERROR:BUFFER:769:769:Array bounds error (off >= len) [RANGE]
((*HostP).Mapping[UnitId], len = 16, off = (sym_16102906, 1, -1, 1),
max(off-len) = 0)
UnitId--; /* this trick relies on the Unit Id
being UNSIGNED! */
if ( UnitId > MAX_RUP ) /* dontcha just lurv unsigned
maths! */
return(0);
Error --->
if ( HostP->Mapping[UnitId].Flags & BEEN_HERE )
return(0);
HostP->Mapping[UnitId].Flags |= BEEN_HERE;
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/block/cciss.c:348:cciss_open:
ERROR:BUFFER:348:348:Array bounds error (off >= len) [RANGE] (hba[ctlr],
len = 8, off = sym_24775581, max(off-len) = 0)
#ifdef CCISS_DEBUG
printk(KERN_DEBUG "cciss_open %x (%x:%x)\n", inode->i_rdev,
ctlr, dsk);
#endif /* CCISS_DEBUG */
Error --->
if (ctlr > MAX_CTLR || hba[ctlr] == NULL)
return -ENXIO;
/*
* Root is allowed to open raw volume zero even if its not
configured
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1167:delete_disk:
ERROR:BUFFER:1167:1167:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).devname[dd.cnum], len = 31, off = sym_14786346,
max(off-len) = 0)
else {
/*
* Mark the container as no longer being valid.
*/
fsa_dev_ptr->valid[dd.cnum] = 0;
Error --->
fsa_dev_ptr->devname[dd.cnum][0] = '\0';
return 0;
}
}
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/net/sk98lin/skxmac2.c:424:SkXmClrSrcChec
k: ERROR:BUFFER:424:424:Array bounds error (off >= len) (*pByte + 7, len
= 6, off = 7, min(off-len) = 1)
SK_IOC IoC, /* IO context */
int Port) /* The XMAC to handle with belongs to this Port
(MAC_1 + n) */
{
SK_U16 ZeroAddr[3] = {0x0000, 0x0000, 0x0000};
Error --->
XM_OUTHASH(IoC, Port, XM_SRC_CHK, &ZeroAddr);
} /* SkXmClrSrcCheck */
---------------------------------------------------------
[BUG] divide by zero
/home/yxie/linux-2.5.53/drivers/char/ftape/lowlevel/ftape-read.c:608:fta
pe_decode_header_segment:
ERROR:DIVZERO:608:608:ftape_status.fti_segments_per_track *
ftape_status.fti_tracks_per_tape - 1 / (unsigned
int)ftape_segments_per_head
ft_tracks_per_tape,
((ft_segments_per_track * ft_tracks_per_tape -1) /
ftape_segments_per_head ),
(ftape_segments_per_head /
ftape_segments_per_cylinder - 1 ),
Error --->
(ftape_segments_per_cylinder *
FT_SECTORS_PER_SEGMENT));
TRACE_EXIT -EIO;
}
ftape_extract_bad_sector_map(address);
---------------------------------------------------------
[BUG]
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1106:query_disk:
ERROR:BUFFER:1106:1106:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).valid[qd.cnum], len = 31, off = sym_14786361,
max(off-len) = 0)
qd.target = CONTAINER_TO_TARGET(qd.cnum);
qd.lun = CONTAINER_TO_LUN(qd.cnum);
}
else return -EINVAL;
Error --->
qd.valid = fsa_dev_ptr->valid[qd.cnum];
qd.locked = fsa_dev_ptr->locked[qd.cnum];
qd.deleted = fsa_dev_ptr->deleted[qd.cnum];
---------------------------------------------------------
[BUG] wrong bounds check
/home/yxie/linux-2.5.53/arch/i386/pci/numa.c:53:__pci_conf1_mq_write:
ERROR:BUFFER:53:53:Array bounds error (off >= len) [RANGE]
(mp_bus_id_to_node[bus], len = 32, off = sym_42073848, max(off-len) =
223)
if ((bus > 255) || (dev > 31) || (fn > 7) || (reg > 255))
return -EINVAL;
spin_lock_irqsave(&pci_config_lock, flags);
Error --->
outl_quad(PCI_CONF1_MQ_ADDRESS(bus, dev, fn, reg), 0xCF8,
BUS2QUAD(bus));
switch (len) {
case 1:
---------------------------------------------------------
[BUG] check against the wrong bounds
/home/yxie/linux-2.5.53/drivers/message/i2o/i2o_core.c:3066:i2o_report_c
ommon_status: ERROR:BUFFER:3066:3066:Array bounds error (off >= len)
[RANGE] (REPLY_STATUS[(int)req_status], len = 12, off = sym_47995228,
max(off-len) = 116)
};
if (req_status > I2O_REPLY_STATUS_PROGRESS_REPORT)
printk("RequestStatus = %0#2x", req_status);
else
Error --->
printk("%s", REPLY_STATUS[req_status]);
}
/*
---------------------------------------------------------
[BUG] off-by-one
/home/yxie/linux-2.5.53/drivers/scsi/aacraid/aachba.c:1110:query_disk:
ERROR:BUFFER:1110:1110:Array bounds error (off >= len) [RANGE]
((*fsa_dev_ptr).devname[qd.cnum], len = 31, off = sym_14786361,
max(off-len) = 0)
qd.valid = fsa_dev_ptr->valid[qd.cnum];
qd.locked = fsa_dev_ptr->locked[qd.cnum];
qd.deleted = fsa_dev_ptr->deleted[qd.cnum];
Error --->
if (fsa_dev_ptr->devname[qd.cnum][0] == '\0')
qd.unmapped = 1;
else
qd.unmapped = 0;
---------------------------------------------------------
[BUG] length of ultra5 and ultra6 are not long enough
/home/yxie/linux-2.5.53/drivers/ide/pci/siimage.c:223:siimage_tune_chips
et: ERROR:BUFFER:223:223:Array bounds error (off >= len)
(ultra5[(int)speed - 64], len = 6, off = 6, min(off-len) = 0)
case XFER_UDMA_3:
case XFER_UDMA_2:
case XFER_UDMA_1:
case XFER_UDMA_0:
multi = dma[2];
Error --->
ultra |= ((scsc) ? (ultra5[speed - XFER_UDMA_0])
:
(ultra6[speed -
XFER_UDMA_0]));
mode |= ((unit) ? 0x30 : 0x03);
config_siimage_chipset_for_pio(drive, 0);
# Summary for
# buffer-specific errors = 87
# /dev/null-specific errors = 0
# Common errors = 0
# Total = 87
# BUGs | File Name
9 | /scsi/aachba.c
5 | /char/i2cmd.c
4 | /i386/numa.c
3 | /message/i2o_block.c
3 | /drivers/DAC960.c
3 | /drivers/ibmphp_pci.c
3 | /video/init301.c
2 | /drivers/psi240i.c
2 | /net/qos.c
2 | /hardware/diva.c
2 | /drivers/tg3.c
2 | /ftape/ftape-read.c
2 | /net/skxmac2.c
2 | /drivers/eexpress.c
2 | /drivers/specialix.c
1 | /message/i2o_core.c
1 | /net/orinoco.c
1 | /drivers/cdrom.c
1 | /fs/cifssmb.c
1 | /net/smc-ircc.c
1 | /net/scc.c
1 | /media/bttv-cards.c
1 | /ide/siimage.c
1 | /drivers/cciss.c
1 | /isdn/isdn_common.c
1 | /net/rtnetlink.c
1 | /drivers/i82092.c
1 | /input/sunkbd.c
1 | /hardware/os_4bri.c
1 | /media/msp3400.c
1 | /fs/xfs_bmap_btree.c
1 | /sound/sb_card.c
1 | /char/rioroute.c
1 | /drivers/riscom8.c
1 | /drivers/dpt_i2o.c
1 | /net/af_bluetooth.c
1 | /drivers/cpqphp_pci.c
1 | /dvb/av7110.c
1 | /message/mptbase.c
1 | /sound/dev_table.c
1 | /fs/base.c
1 | /drivers/sx.c
1 | /video/init.c
1 | /drivers/cpqfcTSworker.c
1 | /drivers/qlogicfc.c
1 | /char/rioboot.c
1 | /media/radio-terratec.c
1 | /cpu/powernow-k6.c
1 | /net/3c359.c
1 | /usb/ohci-hub.c
1 | /drivers/3c59x.c
1 | /drivers/ll_rw_blk.c
1 | /char/riocmd.c
1 | /scsi/aic79xx_pci.c
1 | /video/sis_main.c
1 | /drivers/ide-probe.c
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Jan 31 2003 - 22:00:16 EST