Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 May 2025 18:17:53 GMT
From:      Vladimir Kondratyev <wulf@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: d7837cac6f64 - stable/14 - rtlbtfw(8): Fix incorrect chunk index overwrap in rtlbt_load_fwfile()
Message-ID:  <202505151817.54FIHrad090343@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by wulf:

URL: https://cgit.FreeBSD.org/src/commit/?id=d7837cac6f64a7ed3682050f6401a2a7032fc6d9

commit d7837cac6f64a7ed3682050f6401a2a7032fc6d9
Author:     Vladimir Kondratyev <wulf@FreeBSD.org>
AuthorDate: 2025-04-29 20:28:53 +0000
Commit:     Vladimir Kondratyev <wulf@FreeBSD.org>
CommitDate: 2025-05-15 18:14:18 +0000

    rtlbtfw(8): Fix incorrect chunk index overwrap in rtlbt_load_fwfile()
    
    It prevented large (>256 chunks) firmwares from loading.
    
    Fixes: 5036d9652a57 ("rtlbtfw: Firmware loader for Realtek 87XX/88XX")
    
    Sponsored by:   Future Crew, LLC
    MFC after:      1 week
    
    (cherry picked from commit a4fcbac5d891e3909474ffe7ed7064972a1a7577)
---
 usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c b/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
index 493358294c07..21f2c3e2804f 100644
--- a/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
+++ b/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
@@ -189,19 +189,18 @@ rtlbt_load_fwfile(struct libusb_device_handle *hdl,
 	uint8_t *data = fw->buf;
 	int frag_num = fw->len / RTLBT_MAX_CMD_DATA_LEN + 1;
 	int frag_len = RTLBT_MAX_CMD_DATA_LEN;
-	int i;
+	int i, j;
 	int ret, transferred;
 
-	for (i = 0; i < frag_num; i++) {
+	for (i = 0, j = 0; i < frag_num; i++, j++) {
 
 		rtlbt_debug("download fw (%d/%d)", i + 1, frag_num);
 
 		memset(cmd_buf, 0, sizeof(cmd_buf));
 		cmd->opcode = htole16(0xfc20);
-		if (i > 0x7f)
-			dl_cmd->index = (i & 0x7f) + 1;
-		else
-			dl_cmd->index = i;
+		if (j > 0x7f)
+			j = 1;
+		dl_cmd->index = j;
 
 		if (i == (frag_num - 1)) {
 			dl_cmd->index |= 0x80; /* data end */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202505151817.54FIHrad090343>