diff options
Diffstat (limited to 'drivers/net/wireless/orinoco/fw.c')
| -rw-r--r-- | drivers/net/wireless/orinoco/fw.c | 86 |
1 files changed, 68 insertions, 18 deletions
diff --git a/drivers/net/wireless/orinoco/fw.c b/drivers/net/wireless/orinoco/fw.c index 7d2292d6ce0..1084b43e04b 100644 --- a/drivers/net/wireless/orinoco/fw.c +++ b/drivers/net/wireless/orinoco/fw.c @@ -43,6 +43,46 @@ struct orinoco_fw_header { char signature[0]; /* FW signature length headersize-20 */ } __attribute__ ((packed)); +/* Check the range of various header entries. Return a pointer to a + * description of the problem, or NULL if everything checks out. */ +static const char *validate_fw(const struct orinoco_fw_header *hdr, size_t len) +{ + u16 hdrsize; + + if (len < sizeof(*hdr)) + return "image too small"; + if (memcmp(hdr->hdr_vers, "HFW", 3) != 0) + return "format not recognised"; + + hdrsize = le16_to_cpu(hdr->headersize); + if (hdrsize > len) + return "bad headersize"; + if ((hdrsize + le32_to_cpu(hdr->block_offset)) > len) + return "bad block offset"; + if ((hdrsize + le32_to_cpu(hdr->pdr_offset)) > len) + return "bad PDR offset"; + if ((hdrsize + le32_to_cpu(hdr->pri_offset)) > len) + return "bad PRI offset"; + if ((hdrsize + le32_to_cpu(hdr->compat_offset)) > len) + return "bad compat offset"; + + /* TODO: consider adding a checksum or CRC to the firmware format */ + return NULL; +} + +#if defined(CONFIG_HERMES_CACHE_FW_ON_INIT) || defined(CONFIG_PM_SLEEP) +static inline const struct firmware * +orinoco_cached_fw_get(struct orinoco_private *priv, bool primary) +{ + if (primary) + return priv->cached_pri_fw; + else + return priv->cached_fw; +} +#else +#define orinoco_cached_fw_get(priv, primary) (NULL) +#endif + /* Download either STA or AP firmware into the card. */ static int orinoco_dl_firmware(struct orinoco_private *priv, @@ -56,8 +96,9 @@ orinoco_dl_firmware(struct orinoco_private *priv, const struct firmware *fw_entry; const struct orinoco_fw_header *hdr; const unsigned char *first_block; - const unsigned char *end; + const void *end; const char *firmware; + const char *fw_err; struct net_device *dev = priv->ndev; int err = 0; @@ -79,7 +120,7 @@ orinoco_dl_firmware(struct orinoco_private *priv, if (err) goto free; - if (!priv->cached_fw) { + if (!orinoco_cached_fw_get(priv, false)) { err = request_firmware(&fw_entry, firmware, priv->dev); if (err) { @@ -89,10 +130,19 @@ orinoco_dl_firmware(struct orinoco_private *priv, goto free; } } else - fw_entry = priv->cached_fw; + fw_entry = orinoco_cached_fw_get(priv, false); hdr = (const struct orinoco_fw_header *) fw_entry->data; + fw_err = validate_fw(hdr, fw_entry->size); + if (fw_err) { + printk(KERN_WARNING "%s: Invalid firmware image detected (%s). " + "Aborting download\n", + dev->name, fw_err); + err = -EINVAL; + goto abort; + } + /* Enable aux port to allow programming */ err = hermesi_program_init(hw, le32_to_cpu(hdr->entry_point)); printk(KERN_DEBUG "%s: Program init returned %d\n", dev->name, err); @@ -115,7 +165,8 @@ orinoco_dl_firmware(struct orinoco_private *priv, le16_to_cpu(hdr->headersize) + le32_to_cpu(hdr->pdr_offset)); - err = hermes_apply_pda_with_defaults(hw, first_block, pda); + err = hermes_apply_pda_with_defaults(hw, first_block, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); printk(KERN_DEBUG "%s: Apply PDA returned %d\n", dev->name, err); if (err) goto abort; @@ -132,7 +183,7 @@ orinoco_dl_firmware(struct orinoco_private *priv, abort: /* If we requested the firmware, release it. */ - if (!priv->cached_fw) + if (!orinoco_cached_fw_get(priv, false)) release_firmware(fw_entry); free: @@ -147,7 +198,7 @@ free: */ static int symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, - const unsigned char *image, const unsigned char *end, + const unsigned char *image, const void *end, int secondary) { hermes_t *hw = &priv->hw; @@ -188,9 +239,10 @@ symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, /* Write the PDA to the adapter */ if (secondary) { - size_t len = hermes_blocks_length(first_block); + size_t len = hermes_blocks_length(first_block, end); ptr = first_block + len; - ret = hermes_apply_pda(hw, ptr, pda); + ret = hermes_apply_pda(hw, ptr, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); kfree(pda); if (ret) return ret; @@ -234,20 +286,20 @@ symbol_dl_firmware(struct orinoco_private *priv, int ret; const struct firmware *fw_entry; - if (!priv->cached_pri_fw) { + if (!orinoco_cached_fw_get(priv, true)) { if (request_firmware(&fw_entry, fw->pri_fw, priv->dev) != 0) { printk(KERN_ERR "%s: Cannot find firmware: %s\n", dev->name, fw->pri_fw); return -ENOENT; } } else - fw_entry = priv->cached_pri_fw; + fw_entry = orinoco_cached_fw_get(priv, true); /* Load primary firmware */ ret = symbol_dl_image(priv, fw, fw_entry->data, fw_entry->data + fw_entry->size, 0); - if (!priv->cached_pri_fw) + if (!orinoco_cached_fw_get(priv, true)) release_firmware(fw_entry); if (ret) { printk(KERN_ERR "%s: Primary firmware download failed\n", @@ -255,19 +307,19 @@ symbol_dl_firmware(struct orinoco_private *priv, return ret; } - if (!priv->cached_fw) { + if (!orinoco_cached_fw_get(priv, false)) { if (request_firmware(&fw_entry, fw->sta_fw, priv->dev) != 0) { printk(KERN_ERR "%s: Cannot find firmware: %s\n", dev->name, fw->sta_fw); return -ENOENT; } } else - fw_entry = priv->cached_fw; + fw_entry = orinoco_cached_fw_get(priv, false); /* Load secondary firmware */ ret = symbol_dl_image(priv, fw, fw_entry->data, fw_entry->data + fw_entry->size, 1); - if (!priv->cached_fw) + if (!orinoco_cached_fw_get(priv, false)) release_firmware(fw_entry); if (ret) { printk(KERN_ERR "%s: Secondary firmware download failed\n", @@ -301,9 +353,9 @@ int orinoco_download(struct orinoco_private *priv) return err; } +#if defined(CONFIG_HERMES_CACHE_FW_ON_INIT) || defined(CONFIG_PM_SLEEP) void orinoco_cache_fw(struct orinoco_private *priv, int ap) { -#if defined(CONFIG_HERMES_CACHE_FW_ON_INIT) || defined(CONFIG_PM_SLEEP) const struct firmware *fw_entry = NULL; const char *pri_fw; const char *fw; @@ -323,12 +375,10 @@ void orinoco_cache_fw(struct orinoco_private *priv, int ap) if (request_firmware(&fw_entry, fw, priv->dev) == 0) priv->cached_fw = fw_entry; } -#endif } void orinoco_uncache_fw(struct orinoco_private *priv) { -#if defined(CONFIG_HERMES_CACHE_FW_ON_INIT) || defined(CONFIG_PM_SLEEP) if (priv->cached_pri_fw) release_firmware(priv->cached_pri_fw); if (priv->cached_fw) @@ -336,5 +386,5 @@ void orinoco_uncache_fw(struct orinoco_private *priv) priv->cached_pri_fw = NULL; priv->cached_fw = NULL; -#endif } +#endif |