From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from bu3sch.de ([62.75.166.246]:47736 "EHLO vs166246.vserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752758AbZKWT76 (ORCPT ); Mon, 23 Nov 2009 14:59:58 -0500 From: Michael Buesch To: "John W. Linville" Subject: [PATCH] ssb: Fix range check in sprom write Date: Mon, 23 Nov 2009 20:58:06 +0100 Cc: bcm43xx-dev@lists.berlios.de, "linux-wireless" MIME-Version: 1.0 Message-Id: <200911232058.06369.mb@bu3sch.de> Content-Type: text/plain; charset="us-ascii" Sender: linux-wireless-owner@vger.kernel.org List-ID: The range check in the sprom image parser hex2sprom() is broken. One sprom word is 4 hex characters. This fixes the check and also adds much better sanity checks to the code. We better make sure the image is OK by doing some sanity checks to avoid bricking the device by accident. Signed-off-by: Michael Buesch Cc: stable@kernel.org --- Index: wireless-testing/drivers/ssb/sprom.c =================================================================== --- wireless-testing.orig/drivers/ssb/sprom.c 2009-11-23 14:24:57.000000000 +0100 +++ wireless-testing/drivers/ssb/sprom.c 2009-11-23 20:43:04.000000000 +0100 @@ -13,6 +13,8 @@ #include "ssb_private.h" +#include + static const struct ssb_sprom *fallback_sprom; @@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, c static int hex2sprom(u16 *sprom, const char *dump, size_t len, size_t sprom_size_words) { - char tmp[5] = { 0 }; - int cnt = 0; + char c, tmp[5] = { 0 }; + int err, cnt = 0; unsigned long parsed; - if (len < sprom_size_words * 2) + /* Strip whitespace at the end. */ + while (len) { + c = dump[len - 1]; + if (!isspace(c) && c != '\0') + break; + len--; + } + /* Length must match exactly. */ + if (len != sprom_size_words * 4) return -EINVAL; while (cnt < sprom_size_words) { memcpy(tmp, dump, 4); dump += 4; - parsed = simple_strtoul(tmp, NULL, 16); + err = strict_strtoul(tmp, 16, &parsed); + if (err) + return err; sprom[cnt++] = swab16((u16)parsed); } -- Greetings, Michael.