diff options
author | roel kluin <roel.kluin@gmail.com> | 2009-08-10 01:29:52 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-08-13 16:26:10 -0700 |
commit | 8dd07086a1f8048428d33a1917b6209978750cb1 (patch) | |
tree | 2f6ba6838459114c802302a89d049ee2ef7a2458 | |
parent | a6fa32866567351503db8a5c3466a676ba08595f (diff) | |
download | kernel_samsung_crespo-8dd07086a1f8048428d33a1917b6209978750cb1.zip kernel_samsung_crespo-8dd07086a1f8048428d33a1917b6209978750cb1.tar.gz kernel_samsung_crespo-8dd07086a1f8048428d33a1917b6209978750cb1.tar.bz2 |
lmc: Read outside array bounds
If dev_alloc_skb() fails on the first iteration of the allocation loop,
then we end up writing before the start of the array.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/net/wan/lmc/lmc_main.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/net/wan/lmc/lmc_main.c b/drivers/net/wan/lmc/lmc_main.c index d1492ae..6e6b08c 100644 --- a/drivers/net/wan/lmc/lmc_main.c +++ b/drivers/net/wan/lmc/lmc_main.c @@ -1897,11 +1897,12 @@ static void lmc_softreset (lmc_softc_t * const sc) /*fold00*/ /* * Sets end of ring */ - sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */ - sc->lmc_rxring[i - 1].buffer2 = virt_to_bus (&sc->lmc_rxring[0]); /* Point back to the start */ + if (i != 0) { + sc->lmc_rxring[i - 1].length |= 0x02000000; /* Set end of buffers flag */ + sc->lmc_rxring[i - 1].buffer2 = virt_to_bus(&sc->lmc_rxring[0]); /* Point back to the start */ + } LMC_CSR_WRITE (sc, csr_rxlist, virt_to_bus (sc->lmc_rxring)); /* write base address */ - /* Initialize the transmit rings and buffers */ for (i = 0; i < LMC_TXDESCS; i++) { |