diff options
| author | Lior David <qca_liord@qca.qualcomm.com> | 2017-11-14 16:25:38 +0300 |
|---|---|---|
| committer | Kalle Valo <kvalo@qca.qualcomm.com> | 2017-12-02 17:18:35 +0300 |
| commit | 705d2fde94b23cd76efbeedde643ffa7c32fac7f (patch) | |
| tree | 7973eda3bb7c51c37a400b13d4fd2514d7a4a172 /drivers/net/wireless/ath/wil6210/wmi.c | |
| parent | 26a6d5274865532502c682ff378ac8ebe2886238 (diff) | |
| download | linux-705d2fde94b23cd76efbeedde643ffa7c32fac7f.tar.xz | |
wil6210: add block size checks during FW load
When loading FW from file add block size checks to ensure a
corrupted FW file will not cause the driver to write outside
the device memory.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Diffstat (limited to 'drivers/net/wireless/ath/wil6210/wmi.c')
| -rw-r--r-- | drivers/net/wireless/ath/wil6210/wmi.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c index dbdf71dfb80d..16aa624a986a 100644 --- a/drivers/net/wireless/ath/wil6210/wmi.c +++ b/drivers/net/wireless/ath/wil6210/wmi.c @@ -140,13 +140,15 @@ static u32 wmi_addr_remap(u32 x) /** * Check address validity for WMI buffer; remap if needed * @ptr - internal (linker) fw/ucode address + * @size - if non zero, validate the block does not + * exceed the device memory (bar) * * Valid buffer should be DWORD aligned * * return address for accessing buffer from the host; * if buffer is not valid, return NULL. */ -void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) +void __iomem *wmi_buffer_block(struct wil6210_priv *wil, __le32 ptr_, u32 size) { u32 off; u32 ptr = le32_to_cpu(ptr_); @@ -161,10 +163,17 @@ void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) off = HOSTADDR(ptr); if (off > wil->bar_size - 4) return NULL; + if (size && ((off + size > wil->bar_size) || (off + size < off))) + return NULL; return wil->csr + off; } +void __iomem *wmi_buffer(struct wil6210_priv *wil, __le32 ptr_) +{ + return wmi_buffer_block(wil, ptr_, 0); +} + /** * Check address validity */ |