diff options
| author | David Kilroy <kilroyd@googlemail.com> | 2009-02-21 16:52:54 +0000 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2009-02-27 14:53:02 -0500 |
| commit | 3faa19cd9dfac30aa08bc311ddbd62ee5ccc0d85 (patch) | |
| tree | 7ae57a23a92f4d38580c953a2a4125072b3261ad /drivers/net/wireless/orinoco/fw.c | |
| parent | 7e57811ac5b595bdb53f2aef3bcb2b3d72663fa4 (diff) | |
orinoco: prevent accessing memory outside the firmware image
Do this by indicating the end of the appropriate regions of memory.
Note that MAX_PDA_SIZE should only apply to the PDA block read from
flash/EEPROM, and has been erronously applied to the pdr elements.
Remove the macro, and use the actual PDA size passed down by the caller.
We also fix up some of the types used, marking as much as possible
const, and using void* for the end pointers.
Signed-off-by: David Kilroy <kilroyd@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/orinoco/fw.c')
| -rw-r--r-- | drivers/net/wireless/orinoco/fw.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/net/wireless/orinoco/fw.c b/drivers/net/wireless/orinoco/fw.c index 9f163feb936..e7abb45d675 100644 --- a/drivers/net/wireless/orinoco/fw.c +++ b/drivers/net/wireless/orinoco/fw.c @@ -83,7 +83,7 @@ orinoco_dl_firmware(struct orinoco_private *priv, const struct firmware *fw_entry; const struct orinoco_fw_header *hdr; const unsigned char *first_block; - const unsigned char *end; + const void *end; const char *firmware; const char *fw_err; struct net_device *dev = priv->ndev; @@ -152,7 +152,8 @@ orinoco_dl_firmware(struct orinoco_private *priv, le16_to_cpu(hdr->headersize) + le32_to_cpu(hdr->pdr_offset)); - err = hermes_apply_pda_with_defaults(hw, first_block, pda); + err = hermes_apply_pda_with_defaults(hw, first_block, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); printk(KERN_DEBUG "%s: Apply PDA returned %d\n", dev->name, err); if (err) goto abort; @@ -184,7 +185,7 @@ free: */ static int symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, - const unsigned char *image, const unsigned char *end, + const unsigned char *image, const void *end, int secondary) { hermes_t *hw = &priv->hw; @@ -225,9 +226,10 @@ symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw, /* Write the PDA to the adapter */ if (secondary) { - size_t len = hermes_blocks_length(first_block); + size_t len = hermes_blocks_length(first_block, end); ptr = first_block + len; - ret = hermes_apply_pda(hw, ptr, pda); + ret = hermes_apply_pda(hw, ptr, end, pda, + &pda[fw->pda_size / sizeof(*pda)]); kfree(pda); if (ret) return ret; |