summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/orinoco/fw.c
diff options
context:
space:
mode:
authorDavid Kilroy <kilroyd@googlemail.com>2009-02-21 19:52:54 +0300
committerJohn W. Linville <linville@tuxdriver.com>2009-02-27 22:53:02 +0300
commit3faa19cd9dfac30aa08bc311ddbd62ee5ccc0d85 (patch)
tree7ae57a23a92f4d38580c953a2a4125072b3261ad /drivers/net/wireless/orinoco/fw.c
parent7e57811ac5b595bdb53f2aef3bcb2b3d72663fa4 (diff)
downloadlinux-3faa19cd9dfac30aa08bc311ddbd62ee5ccc0d85.tar.xz
orinoco: prevent accessing memory outside the firmware image
Do this by indicating the end of the appropriate regions of memory. Note that MAX_PDA_SIZE should only apply to the PDA block read from flash/EEPROM, and has been erronously applied to the pdr elements. Remove the macro, and use the actual PDA size passed down by the caller. We also fix up some of the types used, marking as much as possible const, and using void* for the end pointers. Signed-off-by: David Kilroy <kilroyd@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/orinoco/fw.c')
-rw-r--r--drivers/net/wireless/orinoco/fw.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/net/wireless/orinoco/fw.c b/drivers/net/wireless/orinoco/fw.c
index 9f163feb9362..e7abb45d6753 100644
--- a/drivers/net/wireless/orinoco/fw.c
+++ b/drivers/net/wireless/orinoco/fw.c
@@ -83,7 +83,7 @@ orinoco_dl_firmware(struct orinoco_private *priv,
const struct firmware *fw_entry;
const struct orinoco_fw_header *hdr;
const unsigned char *first_block;
- const unsigned char *end;
+ const void *end;
const char *firmware;
const char *fw_err;
struct net_device *dev = priv->ndev;
@@ -152,7 +152,8 @@ orinoco_dl_firmware(struct orinoco_private *priv,
le16_to_cpu(hdr->headersize) +
le32_to_cpu(hdr->pdr_offset));
- err = hermes_apply_pda_with_defaults(hw, first_block, pda);
+ err = hermes_apply_pda_with_defaults(hw, first_block, end, pda,
+ &pda[fw->pda_size / sizeof(*pda)]);
printk(KERN_DEBUG "%s: Apply PDA returned %d\n", dev->name, err);
if (err)
goto abort;
@@ -184,7 +185,7 @@ free:
*/
static int
symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw,
- const unsigned char *image, const unsigned char *end,
+ const unsigned char *image, const void *end,
int secondary)
{
hermes_t *hw = &priv->hw;
@@ -225,9 +226,10 @@ symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw,
/* Write the PDA to the adapter */
if (secondary) {
- size_t len = hermes_blocks_length(first_block);
+ size_t len = hermes_blocks_length(first_block, end);
ptr = first_block + len;
- ret = hermes_apply_pda(hw, ptr, pda);
+ ret = hermes_apply_pda(hw, ptr, end, pda,
+ &pda[fw->pda_size / sizeof(*pda)]);
kfree(pda);
if (ret)
return ret;