* re: libertas: if_spi, driver for libertas GSPI devices
@ 2012-04-17 9:07 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2012-04-17 9:07 UTC (permalink / raw)
To: colin; +Cc: linux-wireless
Hi Colin,
I was going through some old stuff and I had a question about a
potential overfow in if_spi_c2h_cmd().
714 } else if (len > IF_SPI_CMD_BUF_SIZE) {
^^^^^^^^^^^^^^^^^^^^^^^^^
We cap "len" at 2400 bytes here.
715 netdev_err(priv->dev,
716 "%s: error: response packet too large: %d bytes, but maximum is %d\n",
717 __func__, len, IF_SPI_CMD_BUF_SIZE);
718 err = -EINVAL;
719 goto out;
720 }
721
722 /* Read the data from the WLAN module into our command buffer */
723 err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG,
724 card->cmd_buffer, ALIGN(len, 4));
725 if (err)
726 goto out;
727
728 spin_lock_irqsave(&priv->driver_lock, flags);
729 i = (priv->resp_idx == 0) ? 1 : 0;
730 BUG_ON(priv->resp_len[i]);
731 priv->resp_len[i] = len;
732 memcpy(priv->resp_buf[i], card->cmd_buffer, len);
^^^^^^^^^^^^^^^^
But ->resp_buf[i] can only hold LBS_UPLD_SIZE (2312) bytes, so we could
write past the end of the array.
733 lbs_notify_command_response(priv, i);
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-04-17 9:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-04-17 9:07 libertas: if_spi, driver for libertas GSPI devices Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).