14 is added as an offset to the array dummy_packet (64 unsigned chars) to
serve as a destination address in a call to memset(). However, when added,
it is automatically scaled by the size of dummy_packet, which is 64. This
results in writing to unintended memory.
Signed-off-by: Roel Kluin <[email protected]>
---
diff --git a/drivers/net/eth16i.c b/drivers/net/eth16i.c
index e3dd8b1..1ae0b3e 100644
--- a/drivers/net/eth16i.c
+++ b/drivers/net/eth16i.c
@@ -680,7 +680,7 @@ static int eth16i_probe_port(int ioaddr)
dummy_packet[12] = 0x00;
dummy_packet[13] = 0x04;
- memset(dummy_packet + 14, 0, sizeof(dummy_packet) - 14);
+ memset((char *)dummy_packet + 14, 0, sizeof(dummy_packet) - 14);
eth16i_select_regbank(2, ioaddr);
On Tue, Nov 06, 2007 at 11:57:44PM +0100, Roel Kluin wrote:
> 14 is added as an offset to the array dummy_packet (64 unsigned chars) to
> serve as a destination address in a call to memset(). However, when added,
> it is automatically scaled by the size of dummy_packet, which is 64. This
> results in writing to unintended memory.
NAK. Learn C.
Al Viro wrote:
> On Tue, Nov 06, 2007 at 11:57:44PM +0100, Roel Kluin wrote:
>> 14 is added as an offset to the array dummy_packet (64 unsigned chars) to
>> serve as a destination address in a call to memset(). However, when added,
>> it is automatically scaled by the size of dummy_packet, which is 64. This
>> results in writing to unintended memory.
>
> NAK. Learn C.
>
yeah I read your other mail, was going to reply myself anyway, but hey, you
had to be rude again.