s6gmac: Read buffer overflow

Check whether index is within bounds before testing the element.
In the last iteration i is PHY_MAX_ADDR. the condition
`!(p = pd->mii.bus->phy_map[PHY_MAX_ADDR])' is undefined and may
evaluate to false, which leads to a dereference of this invalid
phy_map in the phy_connect() below.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/s6gmac.c b/drivers/net/s6gmac.c
index 5345e47..4525cbe 100644 (file)
--- a/drivers/net/s6gmac.c
+++ b/drivers/net/s6gmac.c
@@ -793,7 +793,7 @@ static inline int s6gmac_phy_start(struct net_device *dev)
        struct s6gmac *pd = netdev_priv(dev);
        int i = 0;
        struct phy_device *p = NULL;
-       while ((!(p = pd->mii.bus->phy_map[i])) && (i < PHY_MAX_ADDR))
+       while ((i < PHY_MAX_ADDR) && (!(p = pd->mii.bus->phy_map[i])))
                i++;
        p = phy_connect(dev, dev_name(&p->dev), &s6gmac_adjust_link, 0,
                        PHY_INTERFACE_MODE_RGMII);