1 files changed, 16 insertions, 7 deletions
diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c
index 390e04885536..9f30aa1f8a5d 100644
--- a/drivers/usb/misc/isight_firmware.c
+++ b/drivers/usb/misc/isight_firmware.c
@@ -39,9 +39,12 @@ static int isight_firmware_load(struct usb_interface *intf,
        struct usb_device *dev = interface_to_usbdev(intf);
        int llen, len, req, ret = 0;
        const struct firmware *firmware;
-        unsigned char *buf;
+        unsigned char *buf = kmalloc(50, GFP_KERNEL);
        unsigned char data[4];
-        char *ptr;
+        u8 *ptr;
+        if (!buf)
+                return -ENOMEM;
        if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
                printk(KERN_ERR "Unable to load isight firmware\n");
@@ -59,7 +62,7 @@ static int isight_firmware_load(struct usb_interface *intf,
                goto out;
        }
-        while (1) {
+        while (ptr+4 <= firmware->data+firmware->size) {
                memcpy(data, ptr, 4);
                len = (data[0] << 8 | data[1]);
                req = (data[2] << 8 | data[3]);
@@ -71,10 +74,14 @@ static int isight_firmware_load(struct usb_interface *intf,
                        continue;
                for (; len > 0; req += 50) {
-                        llen = len > 50 ? 50 : len;
+                        llen = min(len, 50);
                        len -= llen;
+                        if (ptr+llen > firmware->data+firmware->size) {
-                        buf = kmalloc(llen, GFP_KERNEL);
+                                printk(KERN_ERR
+                                       "Malformed isight firmware");
+                                ret = -ENODEV;
+                                goto out;
+                        }
                        memcpy(buf, ptr, llen);
                        ptr += llen;
@@ -89,16 +96,18 @@ static int isight_firmware_load(struct usb_interface *intf,
                                goto out;
                        }
-                        kfree(buf);
                }
        }
        if (usb_control_msg
            (dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1,
             300) != 1) {
                printk(KERN_ERR "isight firmware loading completion failed\n");
                ret = -ENODEV;
        }
 out:
+        kfree(buf);
        release_firmware(firmware);
        return ret;
 }

diff --git a/drivers/usb/misc/isight_firmware.c b/drivers/usb/misc/isight_firmware.c index 390e04885536..9f30aa1f8a5d 100644 --- a/drivers/usb/misc/isight_firmware.c +++ b/drivers/usb/misc/isight_firmware.c
@@ -39,9 +39,12 @@ static int isight_firmware_load(struct usb_interface *intf,
39	struct usb_device *dev = interface_to_usbdev(intf);	39	struct usb_device *dev = interface_to_usbdev(intf);
40	int llen, len, req, ret = 0;	40	int llen, len, req, ret = 0;
41	const struct firmware *firmware;	41	const struct firmware *firmware;
42	unsigned char *buf;	42	unsigned char *buf = kmalloc(50, GFP_KERNEL);
43	unsigned char data[4];	43	unsigned char data[4];
44	char *ptr;	44	u8 *ptr;
		45
		46	if (!buf)
		47	return -ENOMEM;
45		48
46	if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {	49	if (request_firmware(&firmware, "isight.fw", &dev->dev) != 0) {
47	printk(KERN_ERR "Unable to load isight firmware\n");	50	printk(KERN_ERR "Unable to load isight firmware\n");
@@ -59,7 +62,7 @@ static int isight_firmware_load(struct usb_interface *intf,
59	goto out;	62	goto out;
60	}	63	}
61		64
62	while (1) {	65	while (ptr+4 <= firmware->data+firmware->size) {
63	memcpy(data, ptr, 4);	66	memcpy(data, ptr, 4);
64	len = (data[0] << 8 \| data[1]);	67	len = (data[0] << 8 \| data[1]);
65	req = (data[2] << 8 \| data[3]);	68	req = (data[2] << 8 \| data[3]);
@@ -71,10 +74,14 @@ static int isight_firmware_load(struct usb_interface *intf,
71	continue;	74	continue;
72		75
73	for (; len > 0; req += 50) {	76	for (; len > 0; req += 50) {
74	llen = len > 50 ? 50 : len;	77	llen = min(len, 50);
75	len -= llen;	78	len -= llen;
76		79	if (ptr+llen > firmware->data+firmware->size) {
77	buf = kmalloc(llen, GFP_KERNEL);	80	printk(KERN_ERR
		81	"Malformed isight firmware");
		82	ret = -ENODEV;
		83	goto out;
		84	}
78	memcpy(buf, ptr, llen);	85	memcpy(buf, ptr, llen);
79		86
80	ptr += llen;	87	ptr += llen;
@@ -89,16 +96,18 @@ static int isight_firmware_load(struct usb_interface *intf,
89	goto out;	96	goto out;
90	}	97	}
91		98
92	kfree(buf);
93	}	99	}
94	}	100	}
		101
95	if (usb_control_msg	102	if (usb_control_msg
96	(dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1,	103	(dev, usb_sndctrlpipe(dev, 0), 0xa0, 0x40, 0xe600, 0, "\0", 1,
97	300) != 1) {	104	300) != 1) {
98	printk(KERN_ERR "isight firmware loading completion failed\n");	105	printk(KERN_ERR "isight firmware loading completion failed\n");
99	ret = -ENODEV;	106	ret = -ENODEV;
100	}	107	}
		108
101	out:	109	out:
		110	kfree(buf);
102	release_firmware(firmware);	111	release_firmware(firmware);
103	return ret;	112	return ret;
104	}	113	}