NetBSD Problem Report #50759

From  Wed Feb  3 10:20:55 2016
Return-Path: <>
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "", Issuer "Postmaster" (verified OK))
	by (Postfix) with ESMTPS id 8F15A7A20C
	for <>; Wed,  3 Feb 2016 10:20:55 +0000 (UTC)
Message-Id: <>
Date: Wed,  3 Feb 2016 10:20:54 +0000 (UTC)
Subject: [src/sys/arch/x68k/dev/zs.c:159]: (error) Array 'zs_physaddr[5]' accessed at index 5, which is out of bounds.
X-Send-Pr-Version: www-1.0

>Number:         50759
>Category:       port-x68k
>Synopsis:       [src/sys/arch/x68k/dev/zs.c:159]: (error) Array 'zs_physaddr[5]' accessed at index 5, which is out of bounds.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    port-x68k-maintainer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 03 10:25:00 +0000 2016
>Closed-Date:    Tue May 31 03:54:52 +0000 2016
>Last-Modified:  Tue May 31 03:54:52 +0000 2016
>Originator:     David Binderman
>Release:        cvs dated 20160203

Source code is

   for (i = 0; i < ZS_MAXDEV; i++)
        if (zsaddr == (void *)zs_physaddr[i]) /* XXX */

    /* ... */

    if (zsaddr != (void *)zs_physaddr[i])
        return 0;

Maybe better code

   for (i = 0; i < ZS_MAXDEV; i++)
        if (zsaddr == (void *)zs_physaddr[i]) /* XXX */

    /* ... */

    if (i >= ZS_MAXDEV)
        return 0;




From: "David A. Holland" <>
Subject: PR/50759 CVS commit: src/sys/arch/x68k/dev
Date: Tue, 31 May 2016 03:22:30 +0000

 Module Name:	src
 Committed By:	dholland
 Date:		Tue May 31 03:22:30 UTC 2016

 Modified Files:
 	src/sys/arch/x68k/dev: zs.c

 Log Message:
 PR 50759 David Binderman: fix out of bounds array access.

 If we don't find one of the expected device addresses, reject the
 match, but do it by checking whether the loop matched something rather
 than by testing an array entry that might be one past the end.

 Note: I have also moved the test to be with the loop; since the call
 to intio_map_allocate_region had gotten placed in between them, I've
 moved it to go before rather than after them as (a) it doesn't
 interact with the loop itself and (b) this seems like the best choice
 given the history as it was deliberately added before the original

 I have not tried running this, not having an x68k, but as best I can
 tell by reading the intio code it seems like it should be harmless
 even if it's not really correct.

 To generate a diff of this commit:
 cvs rdiff -u -r1.42 -r1.43 src/sys/arch/x68k/dev/zs.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-When: Tue, 31 May 2016 03:54:52 +0000
fixed, thanks


NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD:,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.