Date: Thu, 28 Feb 2013 16:39:44 +0000 (UTC) From: Hans Petter Selasky <hselasky@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r247473 - stable/9/sys/dev/usb/wlan Message-ID: <201302281639.r1SGdiDc063874@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hselasky Date: Thu Feb 28 16:39:44 2013 New Revision: 247473 URL: http://svnweb.freebsd.org/changeset/base/247473 Log: MFC r246944: Fix bad EEPROM parsing code. Modified: stable/9/sys/dev/usb/wlan/if_upgt.c stable/9/sys/dev/usb/wlan/if_upgtvar.h Directory Properties: stable/9/sys/ (props changed) stable/9/sys/dev/ (props changed) Modified: stable/9/sys/dev/usb/wlan/if_upgt.c ============================================================================== --- stable/9/sys/dev/usb/wlan/if_upgt.c Thu Feb 28 16:38:28 2013 (r247472) +++ stable/9/sys/dev/usb/wlan/if_upgt.c Thu Feb 28 16:39:44 2013 (r247473) @@ -1122,12 +1122,23 @@ upgt_eeprom_parse(struct upgt_softc *sc) (sizeof(struct upgt_eeprom_header) + preamble_len)); while (!option_end) { + + /* sanity check */ + if (eeprom_option >= (struct upgt_eeprom_option *) + (sc->sc_eeprom + UPGT_EEPROM_SIZE)) { + return (EINVAL); + } + /* the eeprom option length is stored in words */ option_len = (le16toh(eeprom_option->len) - 1) * sizeof(uint16_t); option_type = le16toh(eeprom_option->type); + /* sanity check */ + if (option_len == 0 || option_len >= UPGT_EEPROM_SIZE) + return (EINVAL); + switch (option_type) { case UPGT_EEPROM_TYPE_NAME: DPRINTF(sc, UPGT_DEBUG_FW, @@ -1198,7 +1209,6 @@ upgt_eeprom_parse(struct upgt_softc *sc) eeprom_option = (struct upgt_eeprom_option *) (eeprom_option->data + option_len); } - return (0); } @@ -1207,7 +1217,9 @@ upgt_eeprom_parse_freq3(struct upgt_soft { struct upgt_eeprom_freq3_header *freq3_header; struct upgt_lmac_freq3 *freq3; - int i, elements, flags; + int i; + int elements; + int flags; unsigned channel; freq3_header = (struct upgt_eeprom_freq3_header *)data; @@ -1219,6 +1231,9 @@ upgt_eeprom_parse_freq3(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d\n", flags, elements); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq3[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq3[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) @@ -1237,7 +1252,11 @@ upgt_eeprom_parse_freq4(struct upgt_soft struct upgt_eeprom_freq4_header *freq4_header; struct upgt_eeprom_freq4_1 *freq4_1; struct upgt_eeprom_freq4_2 *freq4_2; - int i, j, elements, settings, flags; + int i; + int j; + int elements; + int settings; + int flags; unsigned channel; freq4_header = (struct upgt_eeprom_freq4_header *)data; @@ -1252,6 +1271,9 @@ upgt_eeprom_parse_freq4(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d settings=%d\n", flags, elements, settings); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq4_1[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq4_1[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) @@ -1272,7 +1294,8 @@ void upgt_eeprom_parse_freq6(struct upgt_softc *sc, uint8_t *data, int len) { struct upgt_lmac_freq6 *freq6; - int i, elements; + int i; + int elements; unsigned channel; freq6 = (struct upgt_lmac_freq6 *)data; @@ -1280,6 +1303,9 @@ upgt_eeprom_parse_freq6(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "elements=%d\n", elements); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq6[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq6[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) Modified: stable/9/sys/dev/usb/wlan/if_upgtvar.h ============================================================================== --- stable/9/sys/dev/usb/wlan/if_upgtvar.h Thu Feb 28 16:38:28 2013 (r247472) +++ stable/9/sys/dev/usb/wlan/if_upgtvar.h Thu Feb 28 16:39:44 2013 (r247473) @@ -451,7 +451,7 @@ struct upgt_softc { struct upgt_memory sc_memory; /* data which we found in the EEPROM */ - uint8_t sc_eeprom[UPGT_EEPROM_SIZE]; + uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4); uint16_t sc_eeprom_hwrx; struct upgt_lmac_freq3 sc_eeprom_freq3[IEEE80211_CHAN_MAX]; struct upgt_lmac_freq4 sc_eeprom_freq4[IEEE80211_CHAN_MAX][8];
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302281639.r1SGdiDc063874>