• Arnd Bergmann's avatar
    farsync: fix off-by-one bug in fst_add_one · e725a66c
    Arnd Bergmann authored
    gcc-6 finds an out of bounds access in the fst_add_one function
    when calculating the end of the mmio area:
    
    drivers/net/wan/farsync.c: In function 'fst_add_one':
    drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
     #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                         ^
    include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
      __builtin_offsetof(a, b)
                         ^
    drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
     #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                         ^~~~~~~~
    drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                      + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                        ^~~~~~~~~~
    
    The warning is correct, but not critical because this appears
    to be a write-only variable that is set by each WAN driver but
    never accessed afterwards.
    
    I'm taking the minimal fix here, using the correct pointer by
    pointing 'mem_end' to the last byte inside of the register area
    as all other WAN drivers do, rather than the first byte outside of
    it. An alternative would be to just remove the mem_end member
    entirely.
    Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    e725a66c
farsync.c 70.1 KB