[PATCH] wl1271: Fix overflow in wl1271_boot_upload

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs
@ 2010-09-22  7:53 Ido Yariv
  2010-09-22 10:24 ` Luciano Coelho
  0 siblings, 1 reply; 3+ messages in thread
From: Ido Yariv @ 2010-09-22  7:53 UTC (permalink / raw)
  To: linux-wireless; +Cc: Luciano Coelho, Ido Yariv

Due to miscalculation of nvs_len, excessive data was sent to the
firmware.
Fix this by first setting nvs_ptr to point to the first NVS table,
and computing the total size of all NVS tables accordingly.

Signed-off-by: Ido Yariv <ido@wizery.com>
---
 drivers/net/wireless/wl12xx/wl1271_boot.c |   17 ++++++-----------
 1 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c
index fc21db8..e5a7f04 100644
--- a/drivers/net/wireless/wl12xx/wl1271_boot.c
+++ b/drivers/net/wireless/wl12xx/wl1271_boot.c
@@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
 
 	/*
 	 * We've reached the first zero length, the first NVS table
-	 * is 7 bytes further.
+	 * is located at an aligned offset which is at least 7 bytes further.
 	 */
-	nvs_ptr += 7;
+	nvs_ptr = (u8 *)wl->nvs->nvs +
+			ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4);
 	nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs;
-	nvs_len = ALIGN(nvs_len, 4);
 
 	/* FIXME: The driver sets the partition here, but this is not needed,
 	   since it sets to the same one as currently in use */
@@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
 	wl1271_set_partition(wl, &part_table[PART_WORK]);
 
 	/* Copy the NVS tables to a new block to ensure alignment */
-	/* FIXME: We jump 3 more bytes before uploading the NVS.  It seems
-	that our NVS files have three extra zeros here.  I'm not sure whether
-	the problem is in our NVS generation or we should really jumpt these
-	3 bytes here */
-	nvs_ptr += 3;
-
-	nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if
-	(!nvs_aligned) return -ENOMEM;
+	nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL);
+	if (!nvs_aligned)
+		return -ENOMEM;
 
 	/* And finally we upload the NVS tables */
 	/* FIXME: In wl1271, we upload everything at once.
-- 
1.7.0.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs
  2010-09-22  7:53 [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs Ido Yariv
@ 2010-09-22 10:24 ` Luciano Coelho
  2010-09-23  7:46   ` Luciano Coelho
  0 siblings, 1 reply; 3+ messages in thread
From: Luciano Coelho @ 2010-09-22 10:24 UTC (permalink / raw)
  To: ext Ido Yariv; +Cc: linux-wireless@vger.kernel.org

On Wed, 2010-09-22 at 09:53 +0200, ext Ido Yariv wrote:
> Due to miscalculation of nvs_len, excessive data was sent to the
> firmware.
> Fix this by first setting nvs_ptr to point to the first NVS table,
> and computing the total size of all NVS tables accordingly.
> 
> Signed-off-by: Ido Yariv <ido@wizery.com>
> ---

This looks reasonable, thanks!

But I still want to have it briefly tested before I accept it.  Our
tester will try it out today or tomorrow and, if everything is okay,
I'll ack it.


>  drivers/net/wireless/wl12xx/wl1271_boot.c |   17 ++++++-----------
>  1 files changed, 6 insertions(+), 11 deletions(-)
> 
> diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c
> index fc21db8..e5a7f04 100644
> --- a/drivers/net/wireless/wl12xx/wl1271_boot.c
> +++ b/drivers/net/wireless/wl12xx/wl1271_boot.c
> @@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)

[...]

> -	nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if
> -	(!nvs_aligned) return -ENOMEM;
> +	nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL);
> +	if (!nvs_aligned)
> +		return -ENOMEM;

This looks pretty odd.  But I checked wireless-testing and it is looking
bad there.  It's not like that in our internal tree, but git blames me
for doing it in wireless-testing. :) Thanks for fixing.

-- 
Cheers,
Luca.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs
  2010-09-22 10:24 ` Luciano Coelho
@ 2010-09-23  7:46   ` Luciano Coelho
  0 siblings, 0 replies; 3+ messages in thread
From: Luciano Coelho @ 2010-09-23  7:46 UTC (permalink / raw)
  To: ext Ido Yariv, John Linville
  Cc: linux-wireless@vger.kernel.org,
	Katila Tuomas.2 (EXT-Ixonos/Tampere)

On Wed, 2010-09-22 at 12:24 +0200, Luciano Coelho wrote:
> On Wed, 2010-09-22 at 09:53 +0200, ext Ido Yariv wrote:
> > Due to miscalculation of nvs_len, excessive data was sent to the
> > firmware.
> > Fix this by first setting nvs_ptr to point to the first NVS table,
> > and computing the total size of all NVS tables accordingly.
> > 
> > Signed-off-by: Ido Yariv <ido@wizery.com>
> > ---
> 
> This looks reasonable, thanks!
> 
> But I still want to have it briefly tested before I accept it.  Our
> tester will try it out today or tomorrow and, if everything is okay,
> I'll ack it.
> 

Okay, Tuomas has run some basic tests with this patch and didn't
observer any degradation in RF (which would signal possible problems
with the NVS uploading).

Thanks, Ido!

Tested-By: Tuomas Katila <ext-tuomas.2.katila@nokia.com>
Acked-by: Luciano Coelho <luciano.coelho@nokia.com>

John, please apply this patch, since my tree is not ready yet.

-- 
Cheers,
Luca.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-09-23  7:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-22  7:53 [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs Ido Yariv
2010-09-22 10:24 ` Luciano Coelho
2010-09-23  7:46   ` Luciano Coelho

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).