[PATCH 4/6] qlcnic: validate unified fw image

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Amit Kumar Salecha <amit.salecha@qlogic.com>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, dhananjay.phadke@qlogic.com,
	ameen.rahman@qlogic.com,
	Sucheta Chakraborty <sucheta@dut6195.unminc.com>
Subject: [PATCH 4/6] qlcnic: validate unified fw image
Date: Mon,  8 Mar 2010 02:14:48 -0800	[thread overview]
Message-ID: <1268043290-19929-5-git-send-email-amit.salecha@qlogic.com> (raw)
In-Reply-To: <1268043290-19929-1-git-send-email-amit.salecha@qlogic.com>

From: Sucheta Chakraborty <sucheta@dut6195.unminc.com>

Validate all sections of unified fw image, before accessing them,
to avoid seg fault.

Signed-off-by: Sucheta Chakraborty <sucheta@dut6195.unminc.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
---
 drivers/net/qlcnic/qlcnic_init.c |  146 ++++++++++++++++++++++++++++++++++++--
 1 files changed, 139 insertions(+), 7 deletions(-)

diff --git a/drivers/net/qlcnic/qlcnic_init.c b/drivers/net/qlcnic/qlcnic_init.c
index f0df971..21a6e9f 100644
--- a/drivers/net/qlcnic/qlcnic_init.c
+++ b/drivers/net/qlcnic/qlcnic_init.c
@@ -568,21 +568,123 @@ struct uni_table_desc *qlcnic_get_table_desc(const u8 *unirom, int section)
 	return NULL;
 }
 
+#define FILEHEADER_SIZE (14 * 4)
+
 static int
-qlcnic_set_product_offs(struct qlcnic_adapter *adapter)
+qlcnic_validate_header(struct qlcnic_adapter *adapter)
 {
-	struct uni_table_desc *ptab_descr;
 	const u8 *unirom = adapter->fw->data;
-	u32 i;
+	struct uni_table_desc *directory = (struct uni_table_desc *) &unirom[0];
+	__le32 fw_file_size = adapter->fw->size;
 	__le32 entries;
+	__le32 entry_size;
+	__le32 tab_size;
+
+	if (fw_file_size < FILEHEADER_SIZE)
+		return -EINVAL;
+
+	entries = cpu_to_le32(directory->num_entries);
+	entry_size = cpu_to_le32(directory->entry_size);
+	tab_size = cpu_to_le32(directory->findex) + (entries * entry_size);
+
+	if (fw_file_size < tab_size)
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
+qlcnic_validate_bootld(struct qlcnic_adapter *adapter)
+{
+	struct uni_table_desc *tab_desc;
+	struct uni_data_desc *descr;
+	const u8 *unirom = adapter->fw->data;
+	int idx = cpu_to_le32(*((int *)&unirom[adapter->file_prd_off] +
+				QLCNIC_UNI_BOOTLD_IDX_OFF));
+	__le32 offs;
+	__le32 tab_size;
+	__le32 data_size;
+
+	tab_desc = qlcnic_get_table_desc(unirom, QLCNIC_UNI_DIR_SECT_BOOTLD);
+
+	if (!tab_desc)
+		return -EINVAL;
+
+	tab_size = cpu_to_le32(tab_desc->findex) +
+			(cpu_to_le32(tab_desc->entry_size * (idx + 1)));
+
+	if (adapter->fw->size < tab_size)
+		return -EINVAL;
+
+	offs = cpu_to_le32(tab_desc->findex) +
+		(cpu_to_le32(tab_desc->entry_size) * (idx));
+	descr = (struct uni_data_desc *)&unirom[offs];
+
+	data_size = descr->findex + cpu_to_le32(descr->size);
+
+	if (adapter->fw->size < data_size)
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
+qlcnic_validate_fw(struct qlcnic_adapter *adapter)
+{
+	struct uni_table_desc *tab_desc;
+	struct uni_data_desc *descr;
+	const u8 *unirom = adapter->fw->data;
+	int idx = cpu_to_le32(*((int *)&unirom[adapter->file_prd_off] +
+				QLCNIC_UNI_FIRMWARE_IDX_OFF));
+	__le32 offs;
+	__le32 tab_size;
+	__le32 data_size;
+
+	tab_desc = qlcnic_get_table_desc(unirom, QLCNIC_UNI_DIR_SECT_FW);
+
+	if (!tab_desc)
+		return -EINVAL;
+
+	tab_size = cpu_to_le32(tab_desc->findex) +
+			(cpu_to_le32(tab_desc->entry_size * (idx + 1)));
+
+	if (adapter->fw->size < tab_size)
+		return -EINVAL;
+
+	offs = cpu_to_le32(tab_desc->findex) +
+		(cpu_to_le32(tab_desc->entry_size) * (idx));
+	descr = (struct uni_data_desc *)&unirom[offs];
+	data_size = descr->findex + cpu_to_le32(descr->size);
+
+	if (adapter->fw->size < data_size)
+		return -EINVAL;
+
+	return 0;
+}
+
+static int
+qlcnic_validate_product_offs(struct qlcnic_adapter *adapter)
+{
+	struct uni_table_desc *ptab_descr;
+	const u8 *unirom = adapter->fw->data;
 	int mn_present = qlcnic_has_mn(adapter);
+	__le32 entries;
+	__le32 entry_size;
+	__le32 tab_size;
+	u32 i;
 
 	ptab_descr = qlcnic_get_table_desc(unirom,
 				QLCNIC_UNI_DIR_SECT_PRODUCT_TBL);
-	if (ptab_descr == NULL)
-		return -1;
+	if (!ptab_descr)
+		return -EINVAL;
 
 	entries = cpu_to_le32(ptab_descr->num_entries);
+	entry_size = cpu_to_le32(ptab_descr->entry_size);
+	tab_size = cpu_to_le32(ptab_descr->findex) + (entries * entry_size);
+
+	if (adapter->fw->size < tab_size)
+		return -EINVAL;
+
 nomn:
 	for (i = 0; i < entries; i++) {
 
@@ -609,7 +711,37 @@ nomn:
 		mn_present = 0;
 		goto nomn;
 	}
-	return -1;
+	return -EINVAL;
+}
+
+static int
+qlcnic_validate_unified_romimage(struct qlcnic_adapter *adapter)
+{
+	if (qlcnic_validate_header(adapter)) {
+		dev_err(&adapter->pdev->dev,
+				"unified image: header validation failed\n");
+		return -EINVAL;
+	}
+
+	if (qlcnic_validate_product_offs(adapter)) {
+		dev_err(&adapter->pdev->dev,
+				"unified image: product validation failed\n");
+		return -EINVAL;
+	}
+
+	if (qlcnic_validate_bootld(adapter)) {
+		dev_err(&adapter->pdev->dev,
+				"unified image: bootld validation failed\n");
+		return -EINVAL;
+	}
+
+	if (qlcnic_validate_fw(adapter)) {
+		dev_err(&adapter->pdev->dev,
+				"unified image: firmware validation failed\n");
+		return -EINVAL;
+	}
+
+	return 0;
 }
 
 static
@@ -858,7 +990,7 @@ qlcnic_validate_firmware(struct qlcnic_adapter *adapter)
 	u8 fw_type = adapter->fw_type;
 
 	if (fw_type == QLCNIC_UNIFIED_ROMIMAGE) {
-		if (qlcnic_set_product_offs(adapter))
+		if (qlcnic_validate_unified_romimage(adapter))
 			return -EINVAL;
 
 		min_size = QLCNIC_UNI_FW_MIN_SIZE;
-- 
1.6.0.2

next prev parent reply	other threads:[~2010-03-08 10:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-08 10:14 [PATCH 0/6]qlcnic: bug fixes Amit Kumar Salecha
2010-03-08 10:14 ` [PATCH 1/6] qlcnic: fix tx csum status Amit Kumar Salecha
2010-03-08 10:14 ` [PATCH 2/6] qlcnic: additional driver statistics Amit Kumar Salecha
2010-03-08 10:14 ` [PATCH 3/6] qlcnic: fix multicast handling Amit Kumar Salecha
2010-03-08 10:14 ` Amit Kumar Salecha [this message]
2010-03-08 10:14 ` [PATCH 5/6] qlcnic: fix bios version check Amit Kumar Salecha
2010-03-08 10:14 ` [PATCH 6/6] qlcnic: remove extra space from board names Amit Kumar Salecha
2010-03-08 18:45 ` [PATCH 0/6]qlcnic: bug fixes David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f0df971 dfblob:21a6e9f )
 OR (
bs:"[PATCH 4/6] qlcnic: validate unified fw image" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1268043290-19929-5-git-send-email-amit.salecha@qlogic.com \
    --to=amit.salecha@qlogic.com \
    --cc=ameen.rahman@qlogic.com \
    --cc=davem@davemloft.net \
    --cc=dhananjay.phadke@qlogic.com \
    --cc=netdev@vger.kernel.org \
    --cc=sucheta@dut6195.unminc.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).