b53: fix memory out of bounds access on 64 bit targets
authorJonas Gorski <jogo@openwrt.org>
Wed, 10 Jun 2015 09:21:36 +0000 (09:21 +0000)
committerJonas Gorski <jogo@openwrt.org>
Wed, 10 Jun 2015 09:21:36 +0000 (09:21 +0000)
On device reset the sizes for the vlan and port tables were wrongly
calculated based on the pointer size instead of the struct size. This
causes buffer overruns on 64 bit targets, resulting in panics.

Fix this by dereferencing the pointers.

Reported-by: Fedor Konstantinov <blmink@mink.su>
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 45938

target/linux/generic/files/drivers/net/phy/b53/b53_common.c

index 2b05d5d464d9804442c5c2c86162780c93074d5f..47b5a8b03f642aff9bf1cd3d4aa6263444238ecd 100644 (file)
@@ -803,8 +803,8 @@ static int b53_global_reset_switch(struct switch_dev *dev)
        priv->enable_jumbo = 0;
        priv->allow_vid_4095 = 0;
 
-       memset(priv->vlans, 0, sizeof(priv->vlans) * dev->vlans);
-       memset(priv->ports, 0, sizeof(priv->ports) * dev->ports);
+       memset(priv->vlans, 0, sizeof(*priv->vlans) * dev->vlans);
+       memset(priv->ports, 0, sizeof(*priv->ports) * dev->ports);
 
        return b53_switch_reset(priv);
 }