iwlwifi: add range checking in tm sram read command

The size of sram may alter according to ucode type. Retrieve the maximum sram size by current ucode type for range checking to prevent wrong data access. Signed-off-by: Kenny Hsu <kenny.hsu@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
author: Kenny Hsu <kenny.hsu@intel.com> 2011-11-23 09:57:22 -0500
committer: Wey-Yi Guy <wey-yi.w.guy@intel.com> 2011-12-02 11:20:57 -0500
commit: 76de2f29d437fc1c9324e353e26c5879a4fa6dfb (patch)
tree: ced1f959636ecbb1acbef1b9f73e648f04f9039e /drivers
parent: 306713fd1a04801ab3c9b5c0f76b615f1db46e6d (diff)
1 files changed, 22 insertions, 1 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-sv-open.c b/drivers/net/wireless/iwlwifi/iwl-sv-open.c
index 593f42d9fb0a..a8d0ef649a7c 100644
--- a/drivers/net/wireless/iwlwifi/iwl-sv-open.c
+++ b/drivers/net/wireless/iwlwifi/iwl-sv-open.c
@@ -680,7 +680,7 @@ static int iwl_testmode_ownership(struct ieee80211_hw *hw, struct nlattr **tb)
 static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb)
 {
        struct iwl_priv *priv = hw->priv;
-        u32 base, ofs, size;
+        u32 base, ofs, size, maxsize;
        if (priv->testmode_sram.sram_readed)
                return -EBUSY;
@@ -695,6 +695,27 @@ static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb)
                return -ENOMSG;
        }
        size = nla_get_u32(tb[IWL_TM_ATTR_SRAM_SIZE]);
+        switch (priv->ucode_type) {
+        case IWL_UCODE_REGULAR:
+                maxsize = trans(priv)->ucode_rt.data.len;
+                break;
+        case IWL_UCODE_INIT:
+                maxsize = trans(priv)->ucode_init.data.len;
+                break;
+        case IWL_UCODE_WOWLAN:
+                maxsize = trans(priv)->ucode_wowlan.data.len;
+                break;
+        case IWL_UCODE_NONE:
+                IWL_DEBUG_INFO(priv, "Error, uCode does not been loaded\n");
+                return -ENOSYS;
+        default:
+                IWL_DEBUG_INFO(priv, "Error, unsupported uCode type\n");
+                return -ENOSYS;
+        }
+        if ((ofs + size) > maxsize) {
+                IWL_DEBUG_INFO(priv, "Invalid offset/size: out of range\n");
+                return -EINVAL;
+        }
        priv->testmode_sram.buff_size = (size / 4) * 4;
        priv->testmode_sram.buff_addr =
                kmalloc(priv->testmode_sram.buff_size, GFP_KERNEL);
author	Kenny Hsu <kenny.hsu@intel.com>	2011-11-23 09:57:22 -0500
committer	Wey-Yi Guy <wey-yi.w.guy@intel.com>	2011-12-02 11:20:57 -0500
commit	76de2f29d437fc1c9324e353e26c5879a4fa6dfb (patch)
tree	ced1f959636ecbb1acbef1b9f73e648f04f9039e /drivers
parent	306713fd1a04801ab3c9b5c0f76b615f1db46e6d (diff)

diff --git a/drivers/net/wireless/iwlwifi/iwl-sv-open.c b/drivers/net/wireless/iwlwifi/iwl-sv-open.c index 593f42d9fb0a..a8d0ef649a7c 100644 --- a/drivers/net/wireless/iwlwifi/iwl-sv-open.c +++ b/drivers/net/wireless/iwlwifi/iwl-sv-open.c
@@ -680,7 +680,7 @@ static int iwl_testmode_ownership(struct ieee80211_hw hw, struct nlattr *tb)
680	static int iwl_testmode_sram(struct ieee80211_hw hw, struct nlattr *tb)	680	static int iwl_testmode_sram(struct ieee80211_hw hw, struct nlattr *tb)
681	{	681	{
682	struct iwl_priv *priv = hw->priv;	682	struct iwl_priv *priv = hw->priv;
683	u32 base, ofs, size;	683	u32 base, ofs, size, maxsize;
684		684
685	if (priv->testmode_sram.sram_readed)	685	if (priv->testmode_sram.sram_readed)
686	return -EBUSY;	686	return -EBUSY;
@@ -695,6 +695,27 @@ static int iwl_testmode_sram(struct ieee80211_hw hw, struct nlattr *tb)
695	return -ENOMSG;	695	return -ENOMSG;
696	}	696	}
697	size = nla_get_u32(tb[IWL_TM_ATTR_SRAM_SIZE]);	697	size = nla_get_u32(tb[IWL_TM_ATTR_SRAM_SIZE]);
		698	switch (priv->ucode_type) {
		699	case IWL_UCODE_REGULAR:
		700	maxsize = trans(priv)->ucode_rt.data.len;
		701	break;
		702	case IWL_UCODE_INIT:
		703	maxsize = trans(priv)->ucode_init.data.len;
		704	break;
		705	case IWL_UCODE_WOWLAN:
		706	maxsize = trans(priv)->ucode_wowlan.data.len;
		707	break;
		708	case IWL_UCODE_NONE:
		709	IWL_DEBUG_INFO(priv, "Error, uCode does not been loaded\n");
		710	return -ENOSYS;
		711	default:
		712	IWL_DEBUG_INFO(priv, "Error, unsupported uCode type\n");
		713	return -ENOSYS;
		714	}
		715	if ((ofs + size) > maxsize) {
		716	IWL_DEBUG_INFO(priv, "Invalid offset/size: out of range\n");
		717	return -EINVAL;
		718	}
698	priv->testmode_sram.buff_size = (size / 4) * 4;	719	priv->testmode_sram.buff_size = (size / 4) * 4;
699	priv->testmode_sram.buff_addr =	720	priv->testmode_sram.buff_addr =
700	kmalloc(priv->testmode_sram.buff_size, GFP_KERNEL);	721	kmalloc(priv->testmode_sram.buff_size, GFP_KERNEL);