Commit e33761e6 authored by Michael Buesch's avatar Michael Buesch Committed by John W. Linville

ssb: Fix range check in sprom write

The range check in the sprom image parser hex2sprom() is broken.
One sprom word is 4 hex characters.
This fixes the check and also adds much better sanity checks to the code.
We better make sure the image is OK by doing some sanity checks to avoid
bricking the device by accident.
Signed-off-by: default avatarMichael Buesch <mb@bu3sch.de>
Cc: stable@kernel.org
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 3ba6018a
...@@ -13,6 +13,8 @@ ...@@ -13,6 +13,8 @@
#include "ssb_private.h" #include "ssb_private.h"
#include <linux/ctype.h>
static const struct ssb_sprom *fallback_sprom; static const struct ssb_sprom *fallback_sprom;
...@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len, ...@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len,
static int hex2sprom(u16 *sprom, const char *dump, size_t len, static int hex2sprom(u16 *sprom, const char *dump, size_t len,
size_t sprom_size_words) size_t sprom_size_words)
{ {
char tmp[5] = { 0 }; char c, tmp[5] = { 0 };
int cnt = 0; int err, cnt = 0;
unsigned long parsed; unsigned long parsed;
if (len < sprom_size_words * 2) /* Strip whitespace at the end. */
while (len) {
c = dump[len - 1];
if (!isspace(c) && c != '\0')
break;
len--;
}
/* Length must match exactly. */
if (len != sprom_size_words * 4)
return -EINVAL; return -EINVAL;
while (cnt < sprom_size_words) { while (cnt < sprom_size_words) {
memcpy(tmp, dump, 4); memcpy(tmp, dump, 4);
dump += 4; dump += 4;
parsed = simple_strtoul(tmp, NULL, 16); err = strict_strtoul(tmp, 16, &parsed);
if (err)
return err;
sprom[cnt++] = swab16((u16)parsed); sprom[cnt++] = swab16((u16)parsed);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment