diff options
author | Hayes Wang <hayeswang@realtek.com> | 2019-10-21 06:41:11 +0300 |
---|---|---|
committer | Jakub Kicinski <jakub.kicinski@netronome.com> | 2019-10-22 19:45:21 +0300 |
commit | 5a16a3d9f9b9714508d6c9ab69897576a3709566 (patch) | |
tree | 315dac4a588866607b1c3d6e5aa18fd56fed214b /drivers | |
parent | a66edaafae08c37f9ea31fdfbc64d2a9be8d588f (diff) | |
download | linux-5a16a3d9f9b9714508d6c9ab69897576a3709566.tar.xz |
r8152: add checking fw_offset field of struct fw_mac
Make sure @fw_offset field of struct fw_mac is more than the size
of struct fw_mac.
Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/usb/r8152.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 55a7674a0c06..090ddd5fb973 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -3399,7 +3399,7 @@ static void rtl_clear_bp(struct r8152 *tp, u16 type) static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac) { - u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start; + u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start, fw_offset; bool rc = false; u32 length, type; int i, max_bp; @@ -3461,13 +3461,19 @@ static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac) goto out; } + fw_offset = __le16_to_cpu(mac->fw_offset); + if (fw_offset < sizeof(*mac)) { + dev_err(&tp->intf->dev, "fw_offset too small\n"); + goto out; + } + length = __le32_to_cpu(mac->blk_hdr.length); - if (length < __le16_to_cpu(mac->fw_offset)) { + if (length < fw_offset) { dev_err(&tp->intf->dev, "invalid fw_offset\n"); goto out; } - length -= __le16_to_cpu(mac->fw_offset); + length -= fw_offset; if (length < 4 || (length & 3)) { dev_err(&tp->intf->dev, "invalid block length\n"); goto out; |