OpenSolaris

Printable Version Enter a New Search
Bug ID 6796568
Synopsis Array overrun in nxge
State 10-Fix Delivered (Fix available in build)
Category:Subcategory driver:nxge
Keywords parfait
Responsible Engineer Santwona Behera
Reported Against
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_108
Fixed In snv_108
Release Fixed solaris_nevada(snv_108) , solaris_10u8(s10u8_03) (Bug ID:2177567)
Related Bugs 6405398 , 6502748 , 6768523 , 2171587 , 6866508
Submit Date 22-January-2009
Last Update Date 11-February-2009
Description 
usr/src/uts/common/io/nxge/nxge_main.c

1701: #if defined(__i386)
1702:	size_t		reg;
1703: #else
1704:	uint64_t	reg;
1705: #endif
1706:	uint64_t	regdata;
1707:	int		i, retry;
1708:
1709:	bcopy((char *)mp->b_rptr, (char *)&reg, sizeof (uint64_t));

Unconditional copy of 8 bytes, but the size of the destination is architecture-dependent.

usr/src/uts/common/io/nxge/nxge_ndd.c

1113:   buf_len -= print_len;
1114:
1115:   for (i = 0; i < NXGE_MAX_RDCS; i++) {
1116:           if (p_cfgp->grpids[i]) {
1117:                   rdc_grp_p = &p_dma_cfgp->rdc_grps[i];
1118:                   print_len = snprintf((char *)((mblk_t *)np)->b_wptr,
1119:                       buf_len,
1120:                       "\nRDC Group Info for Group [%d] %d\n"
1121:                       "RDC Count %d\tstart RDC %d\n"
1122:                       "RDC Group Population Information"
1123:                       " (offsets 0 - 15)\n",

NXGE_MAX_RDCS = 16, but array being indexed has only 8 elements.

This bug was found using the Parfait source code analysis tool. 
See http://research.sun.com/projects/parfait
Work Around 
N/A
Comments 
N/A