diff options
author | matthieu castet <castet.matthieu@free.fr> | 2005-11-08 02:02:30 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-01-05 00:48:29 +0300 |
commit | 8d7802ed3c617120863f84346638d1cf1c96137b (patch) | |
tree | 008b4724dd19719a3541651a8e68a250a5ecf587 /drivers | |
parent | b72458a80c75cab832248f536412f386e20a93a0 (diff) | |
download | linux-8d7802ed3c617120863f84346638d1cf1c96137b.tar.xz |
[PATCH] USB: Eagle and ADI 930 usb adsl modem driver fix
More care on loading firmware, take into account fw->size can't be zero.
Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/usb/atm/ueagle-atm.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c index 3e2475c666ab..be08e16df09f 100644 --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c @@ -426,14 +426,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte pfw = fw_entry->data; size = fw_entry->size; + if (size < 4) + goto err_fw_corrupted; crc = FW_GET_LONG(pfw); pfw += 4; size -= 4; - if (crc32_be(0, pfw, size) != crc) { - uea_err(usb, "firmware is corrupted\n"); - goto err; - } + if (crc32_be(0, pfw, size) != crc) + goto err_fw_corrupted; /* * Start to upload formware : send reset @@ -446,9 +446,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte goto err; } - while (size > 0) { + while (size > 3) { u8 len = FW_GET_BYTE(pfw); u16 add = FW_GET_WORD(pfw + 1); + + size -= len + 3; + if (size < 0) + goto err_fw_corrupted; + ret = uea_send_modem_cmd(usb, add, len, pfw + 3); if (ret < 0) { uea_err(usb, "uploading firmware data failed " @@ -456,9 +461,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte goto err; } pfw += len + 3; - size -= len + 3; } + if (size != 0) + goto err_fw_corrupted; + /* * Tell the modem we finish : de-assert reset */ @@ -469,6 +476,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte else uea_info(usb, "firmware uploaded\n"); + uea_leaves(usb); + return; + +err_fw_corrupted: + uea_err(usb, "firmware is corrupted\n"); err: uea_leaves(usb); } @@ -522,10 +534,6 @@ static int check_dsp(u8 *dsp, unsigned int len) u32 pageoffset; unsigned int i, j, p, pp; - /* enough space for pagecount? */ - if (len < 1) - return 1; - pagecount = FW_GET_BYTE(dsp); p = 1; |