Bug ID: 6768523 Array overrun in nxge

Bug ID	6768523
Synopsis	Array overrun in nxge
State	10-Fix Delivered (Fix available in build)
Category:Subcategory	driver:nxge
Keywords	parfait
Responsible Engineer	Santwona Behera
Reported Against
Duplicate Of
Introduced In	solaris_nevada
Commit to Fix	snv_108
Fixed In	snv_108
Release Fixed	solaris_nevada(snv_108) , solaris_10u8(s10u8_03) (Bug ID:2177566)
Related Bugs	6502748 , 6768510 , 2171587 , 6796568 , 6866508
Submit Date	6-November-2008
Last Update Date	11-February-2009
Description	usr/src/uts/common/io/nxge/nxge_espc.c 0303: for (j = 0; j < NXGE_FCODE_VER_STR_LEN; j++, i++) { 0304: ver_num_str[j] = nxgep->vpd_info.ver[i]; 0305: if (ver_num_str[j] == ' ') 0306: break; 0307: } 0308: ver_num_str[j] = '\0'; 0309: break; 0310: } 0311: } If the loop can exit without finding a ' ' character, then line 308 writes past the end of the array. usr/src/uts/common/io/nxge/nxge_main.c 2504: i = 0; 2505: size_index = 0; 2506: array_size = sizeof (alloc_sizes)/sizeof (size_t); 2507: while ((alloc_sizes[size_index] < alloc_size) && 2508: (size_index < array_size)) 2509: size_index++; 2510: if (size_index >= array_size) { 2511: size_index = array_size - 1; 2512: } Line 2507: Same case as uts/common/io/hxge/hxge_main.c on line 1641 2999: total_alloc_size = alloc_size; 3000: i = 0; 3001: size_index = 0; 3002: array_size = sizeof (alloc_sizes) / sizeof (size_t); 3003: while ((alloc_sizes[size_index] < alloc_size) && 3004: (size_index < array_size)) 3005: size_index++; 3006: if (size_index >= array_size) { 3007: size_index = array_size - 1; 3008: } Line 3003: Same case as uts/common/io/hxge/hxge_main.c on line 1641 This bug was found using the Parfait source code analysis tool. See http://research.sun.com/projects/parfait
Work Around	N/A
Comments	N/A

OpenSolaris