aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2009-11-23 14:58:06 -0500
committerJohn W. Linville <linville@tuxdriver.com>2009-11-23 17:05:41 -0500
commite33761e6f23881de9f3ee77cc2204ab2e26f3d9a (patch)
treee4d1c56fed629085b3387ebc512e8b2a441e393f
parent3ba6018aa314559c5867138a8173b068268a70db (diff)
ssb: Fix range check in sprom write
The range check in the sprom image parser hex2sprom() is broken. One sprom word is 4 hex characters. This fixes the check and also adds much better sanity checks to the code. We better make sure the image is OK by doing some sanity checks to avoid bricking the device by accident. Signed-off-by: Michael Buesch <mb@bu3sch.de> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/ssb/sprom.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c
index 580f779ecf49..d0e6762fec50 100644
--- a/drivers/ssb/sprom.c
+++ b/drivers/ssb/sprom.c
@@ -13,6 +13,8 @@
13 13
14#include "ssb_private.h" 14#include "ssb_private.h"
15 15
16#include <linux/ctype.h>
17
16 18
17static const struct ssb_sprom *fallback_sprom; 19static const struct ssb_sprom *fallback_sprom;
18 20
@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len,
33static int hex2sprom(u16 *sprom, const char *dump, size_t len, 35static int hex2sprom(u16 *sprom, const char *dump, size_t len,
34 size_t sprom_size_words) 36 size_t sprom_size_words)
35{ 37{
36 char tmp[5] = { 0 }; 38 char c, tmp[5] = { 0 };
37 int cnt = 0; 39 int err, cnt = 0;
38 unsigned long parsed; 40 unsigned long parsed;
39 41
40 if (len < sprom_size_words * 2) 42 /* Strip whitespace at the end. */
43 while (len) {
44 c = dump[len - 1];
45 if (!isspace(c) && c != '\0')
46 break;
47 len--;
48 }
49 /* Length must match exactly. */
50 if (len != sprom_size_words * 4)
41 return -EINVAL; 51 return -EINVAL;
42 52
43 while (cnt < sprom_size_words) { 53 while (cnt < sprom_size_words) {
44 memcpy(tmp, dump, 4); 54 memcpy(tmp, dump, 4);
45 dump += 4; 55 dump += 4;
46 parsed = simple_strtoul(tmp, NULL, 16); 56 err = strict_strtoul(tmp, 16, &parsed);
57 if (err)
58 return err;
47 sprom[cnt++] = swab16((u16)parsed); 59 sprom[cnt++] = swab16((u16)parsed);
48 } 60 }
49 61