Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

Conflicts: net/mac80211/rc80211_pid_algo.c
author: David S. Miller <davem@davemloft.net> 2008-03-05 15:26:41 -0500
committer: David S. Miller <davem@davemloft.net> 2008-03-05 15:26:41 -0500
commit: 255333c1db3ec63921de29b134418a4e56e5921e (patch)
tree: b1cd99373cabfa6fed020496d4d74500e7bc7e92 /drivers/net/wireless/p54common.c
parent: 9a43b709a230705ca40a6f854a334a02334a3c1c (diff)
parent: 0d66afe7805b169b6bf3c7a88cf8163298b8ef05 (diff)
1 files changed, 12 insertions, 8 deletions
diff --git a/drivers/net/wireless/p54common.c b/drivers/net/wireless/p54common.c
index 84cc000e71aa..63f9badf3f52 100644
--- a/drivers/net/wireless/p54common.c
+++ b/drivers/net/wireless/p54common.c
@@ -206,18 +206,23 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len)
        struct p54_common *priv = dev->priv;
        struct eeprom_pda_wrap *wrap = NULL;
        struct pda_entry *entry;
-        int i = 0;
        unsigned int data_len, entry_len;
        void *tmp;
        int err;
+        u8 *end = (u8 *)eeprom + len;
        wrap = (struct eeprom_pda_wrap *) eeprom;
-        entry = (void *)wrap->data + wrap->len;
+        entry = (void *)wrap->data + le16_to_cpu(wrap->len);
-        i += 2;
-        i += le16_to_cpu(entry->len)*2;
+        /* verify that at least the entry length/code fits */
-        while (i < len) {
+        while ((u8 *)entry <= end - sizeof(*entry)) {
                entry_len = le16_to_cpu(entry->len);
                data_len = ((entry_len - 1) << 1);
+                /* abort if entry exceeds whole structure */
+                if ((u8 *)entry + sizeof(*entry) + data_len > end)
+                        break;
                switch (le16_to_cpu(entry->code)) {
                case PDR_MAC_ADDRESS:
                        SET_IEEE80211_PERM_ADDR(dev, entry->data);
@@ -289,7 +294,8 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len)
                        priv->version = *(u8 *)(entry->data + 1);
                        break;
                case PDR_END:
-                        i = len;
+                        /* make it overrun */
+                        entry_len = len;
                        break;
                default:
                        printk(KERN_INFO "p54: unknown eeprom code : 0x%x\n",
@@ -298,8 +304,6 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len)
                }
                entry = (void *)entry + (entry_len + 1)*2;
-                i += 2;
-                i += entry_len*2;
        }
        if (!priv->iq_autocal || !priv->output_limit || !priv->curve_data) {
author	David S. Miller <davem@davemloft.net>	2008-03-05 15:26:41 -0500
committer	David S. Miller <davem@davemloft.net>	2008-03-05 15:26:41 -0500
commit	255333c1db3ec63921de29b134418a4e56e5921e (patch)
tree	b1cd99373cabfa6fed020496d4d74500e7bc7e92 /drivers/net/wireless/p54common.c
parent	9a43b709a230705ca40a6f854a334a02334a3c1c (diff)
parent	0d66afe7805b169b6bf3c7a88cf8163298b8ef05 (diff)

diff --git a/drivers/net/wireless/p54common.c b/drivers/net/wireless/p54common.c index 84cc000e71aa..63f9badf3f52 100644 --- a/drivers/net/wireless/p54common.c +++ b/drivers/net/wireless/p54common.c
@@ -206,18 +206,23 @@ int p54_parse_eeprom(struct ieee80211_hw dev, void eeprom, int len)
206	struct p54_common *priv = dev->priv;	206	struct p54_common *priv = dev->priv;
207	struct eeprom_pda_wrap *wrap = NULL;	207	struct eeprom_pda_wrap *wrap = NULL;
208	struct pda_entry *entry;	208	struct pda_entry *entry;
209	int i = 0;
210	unsigned int data_len, entry_len;	209	unsigned int data_len, entry_len;
211	void *tmp;	210	void *tmp;
212	int err;	211	int err;
		212	u8 end = (u8 )eeprom + len;
213		213
214	wrap = (struct eeprom_pda_wrap *) eeprom;	214	wrap = (struct eeprom_pda_wrap *) eeprom;
215	entry = (void *)wrap->data + wrap->len;	215	entry = (void *)wrap->data + le16_to_cpu(wrap->len);
216	i += 2;	216
217	i += le16_to_cpu(entry->len)*2;	217	/* verify that at least the entry length/code fits */
218	while (i < len) {	218	while ((u8 )entry <= end - sizeof(entry)) {
219	entry_len = le16_to_cpu(entry->len);	219	entry_len = le16_to_cpu(entry->len);
220	data_len = ((entry_len - 1) << 1);	220	data_len = ((entry_len - 1) << 1);
		221
		222	/* abort if entry exceeds whole structure */
		223	if ((u8 )entry + sizeof(entry) + data_len > end)
		224	break;
		225
221	switch (le16_to_cpu(entry->code)) {	226	switch (le16_to_cpu(entry->code)) {
222	case PDR_MAC_ADDRESS:	227	case PDR_MAC_ADDRESS:
223	SET_IEEE80211_PERM_ADDR(dev, entry->data);	228	SET_IEEE80211_PERM_ADDR(dev, entry->data);
@@ -289,7 +294,8 @@ int p54_parse_eeprom(struct ieee80211_hw dev, void eeprom, int len)
289	priv->version = (u8 )(entry->data + 1);	294	priv->version = (u8 )(entry->data + 1);
290	break;	295	break;
291	case PDR_END:	296	case PDR_END:
292	i = len;	297	/* make it overrun */
		298	entry_len = len;
293	break;	299	break;
294	default:	300	default:
295	printk(KERN_INFO "p54: unknown eeprom code : 0x%x\n",	301	printk(KERN_INFO "p54: unknown eeprom code : 0x%x\n",
@@ -298,8 +304,6 @@ int p54_parse_eeprom(struct ieee80211_hw dev, void eeprom, int len)
298	}	304	}
299		305
300	entry = (void )entry + (entry_len + 1)2;	306	entry = (void )entry + (entry_len + 1)2;
301	i += 2;
302	i += entry_len*2;
303	}	307	}
304		308
305	if (!priv->iq_autocal \|\| !priv->output_limit \|\| !priv->curve_data) {	309	if (!priv->iq_autocal \|\| !priv->output_limit \|\| !priv->curve_data) {