From: "John W. Linville" <linville@tuxdriver.com>
To: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Tim Gardner <tim.gardner@canonical.com>,
Chaoming Li <chaoming_li@realsil.com.cn>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer
Date: Wed, 15 Feb 2012 13:55:26 -0500 [thread overview]
Message-ID: <20120215185525.GE4379@tuxdriver.com> (raw)
In-Reply-To: <1328833192-10681-1-git-send-email-Larry.Finger@lwfinger.net>
Is this a fix that should go to 3.3?
On Thu, Feb 09, 2012 at 06:19:52PM -0600, Larry Finger wrote:
> From: Tim Gardner <tim.gardner@canonical.com>
>
> Define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE which represents the
> maximimum possible firmware file size. Use it in the definition
> of the buffer which receives the firmware file data.
>
> Set RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE closer to the actual size of
> the firmware file, e.g., 90000 (down from hard coded 164000). The current
> size of rtlwifi/rtl8192sefw.bin is 88856.
>
> Set max_fw_size to RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE for the size limit
> check. Fix the error case where max_fw_size is not cleared if the size
> limit check fails.
>
> Cc: Chaoming Li <chaoming_li@realsil.com.cn>
> Cc: linux-wireless@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
> ---
> drivers/net/wireless/rtlwifi/rtl8192se/fw.h | 3 ++-
> drivers/net/wireless/rtlwifi/rtl8192se/sw.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> index babe85d..b4afff6 100644
> --- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> @@ -30,6 +30,7 @@
> #define __REALTEK_FIRMWARE92S_H__
>
> #define RTL8190_MAX_FIRMWARE_CODE_SIZE 64000
> +#define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE 90000
> #define RTL8190_CPU_START_OFFSET 0x80
> /* Firmware Local buffer size. 64k */
> #define MAX_FIRMWARE_CODE_SIZE 0xFF00
> @@ -217,7 +218,7 @@ struct rt_firmware {
> u8 fw_emem[RTL8190_MAX_FIRMWARE_CODE_SIZE];
> u32 fw_imem_len;
> u32 fw_emem_len;
> - u8 sz_fw_tmpbuffer[164000];
> + u8 sz_fw_tmpbuffer[RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE];
> u32 sz_fw_tmpbufferlen;
> u16 cmdpacket_fragthresold;
> };
> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> index ca38dd9..345d752 100644
> --- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> @@ -108,6 +108,7 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
> if (firmware->size > rtlpriv->max_fw_size) {
> RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
> "Firmware is too big!\n");
> + rtlpriv->max_fw_size = 0;
> release_firmware(firmware);
> return;
> }
> @@ -232,7 +233,7 @@ static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
> return 1;
> }
>
> - rtlpriv->max_fw_size = sizeof(struct rt_firmware);
> + rtlpriv->max_fw_size = RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE;
>
> pr_info("Driver for Realtek RTL8192SE/RTL8191SE\n"
> "Loading firmware %s\n", rtlpriv->cfg->fw_name);
> --
> 1.7.9
>
>
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
WARNING: multiple messages have this Message-ID (diff)
From: "John W. Linville" <linville-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org>
To: Larry Finger <Larry.Finger-tQ5ms3gMjBLk1uMJSBkQmQ@public.gmane.org>
Cc: Tim Gardner <tim.gardner-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
Chaoming Li <chaoming_li-kXabqFNEczNtrwSWzY7KCg@public.gmane.org>,
linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer
Date: Wed, 15 Feb 2012 13:55:26 -0500 [thread overview]
Message-ID: <20120215185525.GE4379@tuxdriver.com> (raw)
In-Reply-To: <1328833192-10681-1-git-send-email-Larry.Finger-tQ5ms3gMjBLk1uMJSBkQmQ@public.gmane.org>
Is this a fix that should go to 3.3?
On Thu, Feb 09, 2012 at 06:19:52PM -0600, Larry Finger wrote:
> From: Tim Gardner <tim.gardner-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
>
> Define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE which represents the
> maximimum possible firmware file size. Use it in the definition
> of the buffer which receives the firmware file data.
>
> Set RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE closer to the actual size of
> the firmware file, e.g., 90000 (down from hard coded 164000). The current
> size of rtlwifi/rtl8192sefw.bin is 88856.
>
> Set max_fw_size to RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE for the size limit
> check. Fix the error case where max_fw_size is not cleared if the size
> limit check fails.
>
> Cc: Chaoming Li <chaoming_li-kXabqFNEczNtrwSWzY7KCg@public.gmane.org>
> Cc: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Cc: netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Signed-off-by: Tim Gardner <tim.gardner-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
> Signed-off-by: Larry Finger <Larry.Finger-tQ5ms3gMjBLk1uMJSBkQmQ@public.gmane.org>
> ---
> drivers/net/wireless/rtlwifi/rtl8192se/fw.h | 3 ++-
> drivers/net/wireless/rtlwifi/rtl8192se/sw.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> index babe85d..b4afff6 100644
> --- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> @@ -30,6 +30,7 @@
> #define __REALTEK_FIRMWARE92S_H__
>
> #define RTL8190_MAX_FIRMWARE_CODE_SIZE 64000
> +#define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE 90000
> #define RTL8190_CPU_START_OFFSET 0x80
> /* Firmware Local buffer size. 64k */
> #define MAX_FIRMWARE_CODE_SIZE 0xFF00
> @@ -217,7 +218,7 @@ struct rt_firmware {
> u8 fw_emem[RTL8190_MAX_FIRMWARE_CODE_SIZE];
> u32 fw_imem_len;
> u32 fw_emem_len;
> - u8 sz_fw_tmpbuffer[164000];
> + u8 sz_fw_tmpbuffer[RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE];
> u32 sz_fw_tmpbufferlen;
> u16 cmdpacket_fragthresold;
> };
> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> index ca38dd9..345d752 100644
> --- a/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> +++ b/drivers/net/wireless/rtlwifi/rtl8192se/sw.c
> @@ -108,6 +108,7 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
> if (firmware->size > rtlpriv->max_fw_size) {
> RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
> "Firmware is too big!\n");
> + rtlpriv->max_fw_size = 0;
> release_firmware(firmware);
> return;
> }
> @@ -232,7 +233,7 @@ static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
> return 1;
> }
>
> - rtlpriv->max_fw_size = sizeof(struct rt_firmware);
> + rtlpriv->max_fw_size = RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE;
>
> pr_info("Driver for Realtek RTL8192SE/RTL8191SE\n"
> "Loading firmware %s\n", rtlpriv->cfg->fw_name);
> --
> 1.7.9
>
>
--
John W. Linville Someday the world will need a hero, and you
linville-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org might be all we have. Be ready.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-02-15 19:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 0:19 [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer Larry Finger
2012-02-15 18:55 ` John W. Linville [this message]
2012-02-15 18:55 ` John W. Linville
2012-02-15 19:14 ` Larry Finger
2012-02-15 19:34 ` Tim Gardner
-- strict thread matches above, loose matches on Subject: below --
2012-02-08 21:08 [PATCH] " Tim Gardner
2012-02-08 21:45 ` Ben Hutchings
2012-02-09 2:30 ` Larry Finger
2012-02-09 14:41 ` Tim Gardner
2012-02-09 16:43 ` Larry Finger
2012-02-09 17:25 ` [PATCH v3] " Tim Gardner
2012-02-10 0:21 ` Larry Finger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120215185525.GE4379@tuxdriver.com \
--to=linville@tuxdriver.com \
--cc=Larry.Finger@lwfinger.net \
--cc=chaoming_li@realsil.com.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tim.gardner@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.