From 3faa19cd9dfac30aa08bc311ddbd62ee5ccc0d85 Mon Sep 17 00:00:00 2001 From: David Kilroy Date: Sat, 21 Feb 2009 16:52:54 +0000 Subject: orinoco: prevent accessing memory outside the firmware image Do this by indicating the end of the appropriate regions of memory. Note that MAX_PDA_SIZE should only apply to the PDA block read from flash/EEPROM, and has been erronously applied to the pdr elements. Remove the macro, and use the actual PDA size passed down by the caller. We also fix up some of the types used, marking as much as possible const, and using void* for the end pointers. Signed-off-by: David Kilroy Signed-off-by: John W. Linville --- drivers/net/wireless/orinoco/fw.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'drivers/net/wireless/orinoco/fw.c') diff --git a/drivers/net/wireless/orinoco/fw.c b/drivers/net/wireless/orinoco/fw.c index 9f163feb936..e7abb45d675 100644 --- a/drivers/net/wireless/orinoco/fw.c +++ b/drivers/net/wireless/orinoco/fw.c @@ -83,7 +83,7 @@ orinoco_dl_firmware(struct orinoco_private *priv, const struct firmware *fw_entry; const struct orinoco_fw_header *hdr; const unsigned char *first_block; - const unsigned char *end; + const void *end; const char *firmware; const char *fw_err; struct net_device *dev = priv->ndev; @@ -152,7 +152,8 @@ orinoco_dl_firmware(struct orinoco_private *priv, le16_to_cpu(hdr->headersize) + le32_to_cpu(hdr->pdr_offset)); - err = hermes_apply_pda_with_defaults(hw, first_block, pda); + err = hermes_apply_pda_with_defaults(hw, first_block, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); printk(KERN_DEBUG "%s: Apply PDA returned %d\n", dev->name, err); if (err) goto abort; @@ -184,7 +185,7 @@ free: */ static int symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, - const unsigned char *image, const unsigned char *end, + const unsigned char *image, const void *end, int secondary) { hermes_t *hw = &priv->hw; @@ -225,9 +226,10 @@ symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, /* Write the PDA to the adapter */ if (secondary) { - size_t len = hermes_blocks_length(first_block); + size_t len = hermes_blocks_length(first_block, end); ptr = first_block + len; - ret = hermes_apply_pda(hw, ptr, pda); + ret = hermes_apply_pda(hw, ptr, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); kfree(pda); if (ret) return ret; -- cgit v1.2.3-70-g09d2