2000-12-07 00:39:59

by Jesper Dangaard Brouer

[permalink] [raw]
Subject: [PATCH] tulip driver, 2.4.0-test11 kernel, media type

Error/bug in the "tulip" network driver from the 2.4.0-test11 kernel, when
detecting media type.

The bug is quite simple. When detecting the media type, it's possible to
access data outside/beyond the array "medianame[]". This leads to an
kernel panic Oops.

I detected the bug, when using the netcard:
Phobos P430 Quad port (4 port card)

The card reports it's media type ("leaf->media") to be "17". And the
array "medianame" only contains 16 entries (0-15).

This patch only assures that we don't access elements beyond the static
size of the array (defensive coding).

We should of course expand the array "medianame" with the appropriate
entries. Note, that Donald Beckers version of the tulip driver have 8
extra elements in this array.

Jesper Brouer <[email protected]>

System Administrator
Dept. of Computer Science, University of Copenhagen
E-mail: [email protected], Direct Tel.: 353 21375

The patch:

--- linux-2.4.0-test11/drivers/net/tulip/eeprom.c Mon Jun 19 22:42:39 2000
+++ linux/drivers/net/tulip/eeprom.c Wed Dec 6 23:03:10 2000
@@ -236,7 +236,8 @@
printk(KERN_INFO "%s: Index #%d - Media %s (#%d) described "
"by a %s (%d) block.\n",
- dev->name, i, medianame[leaf->media], leaf->media,
+ dev->name, i,
+ leaf->media < 16 ? medianame[leaf->media] : "UNKNOWN", leaf->media,
block_name[leaf->type], leaf->type);
if (new_advertise)

tulip.patch (504.00 B)