d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix bad EEPROM parsing code.

Browse Source 
MFC after:	2 weeks
This commit is contained in:
Hans Petter Selasky 2013-02-18 17:55:27 +00:00
parent 6e1ff18743
commit 1b9c9ab29a
2 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
sys/dev/usb/wlan/if_upgt.c
View File

@ -1132,12 +1132,23 @@ upgt_eeprom_parse(struct upgt_softc *sc)
(sizeof(struct upgt_eeprom_header) + preamble_len));
while (!option_end) {
/* sanity check */
if (eeprom_option >= (struct upgt_eeprom_option *)
(sc->sc_eeprom + UPGT_EEPROM_SIZE)) {
return (EINVAL);
}
/* the eeprom option length is stored in words */
option_len =
(le16toh(eeprom_option->len) - 1) * sizeof(uint16_t);
option_type =
le16toh(eeprom_option->type);
/* sanity check */
if (option_len == 0 || option_len >= UPGT_EEPROM_SIZE)
return (EINVAL);
switch (option_type) {
case UPGT_EEPROM_TYPE_NAME:
DPRINTF(sc, UPGT_DEBUG_FW,
@ -1208,7 +1219,6 @@ upgt_eeprom_parse(struct upgt_softc *sc)
eeprom_option = (struct upgt_eeprom_option *)
(eeprom_option->data + option_len);
}
return (0);
}
@ -1217,7 +1227,9 @@ upgt_eeprom_parse_freq3(struct upgt_softc *sc, uint8_t *data, int len)
{
struct upgt_eeprom_freq3_header *freq3_header;
struct upgt_lmac_freq3 *freq3;
int i, elements, flags;
int i;
int elements;
int flags;
unsigned channel;
freq3_header = (struct upgt_eeprom_freq3_header *)data;
@ -1229,6 +1241,9 @@ upgt_eeprom_parse_freq3(struct upgt_softc *sc, uint8_t *data, int len)
DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d\n",
flags, elements);
if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq3[0])))
return;
for (i = 0; i < elements; i++) {
channel = ieee80211_mhz2ieee(le16toh(freq3[i].freq), 0);
if (channel >= IEEE80211_CHAN_MAX)
@ -1247,7 +1262,11 @@ upgt_eeprom_parse_freq4(struct upgt_softc *sc, uint8_t *data, int len)
struct upgt_eeprom_freq4_header *freq4_header;
struct upgt_eeprom_freq4_1 *freq4_1;
struct upgt_eeprom_freq4_2 *freq4_2;
int i, j, elements, settings, flags;
int i;
int j;
int elements;
int settings;
int flags;
unsigned channel;
freq4_header = (struct upgt_eeprom_freq4_header *)data;
@ -1262,6 +1281,9 @@ upgt_eeprom_parse_freq4(struct upgt_softc *sc, uint8_t *data, int len)
DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d settings=%d\n",
flags, elements, settings);
if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq4_1[0])))
return;
for (i = 0; i < elements; i++) {
channel = ieee80211_mhz2ieee(le16toh(freq4_1[i].freq), 0);
if (channel >= IEEE80211_CHAN_MAX)
@ -1282,7 +1304,8 @@ void
upgt_eeprom_parse_freq6(struct upgt_softc *sc, uint8_t *data, int len)
{
struct upgt_lmac_freq6 *freq6;
int i, elements;
int i;
int elements;
unsigned channel;
freq6 = (struct upgt_lmac_freq6 *)data;
@ -1290,6 +1313,9 @@ upgt_eeprom_parse_freq6(struct upgt_softc *sc, uint8_t *data, int len)
DPRINTF(sc, UPGT_DEBUG_FW, "elements=%d\n", elements);
if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq6[0])))
return;
for (i = 0; i < elements; i++) {
channel = ieee80211_mhz2ieee(le16toh(freq6[i].freq), 0);
if (channel >= IEEE80211_CHAN_MAX)

2
sys/dev/usb/wlan/if_upgtvar.h
View File

@ -453,7 +453,7 @@ struct upgt_softc {
struct upgt_memory sc_memory;
/* data which we found in the EEPROM */
uint8_t sc_eeprom[UPGT_EEPROM_SIZE];
uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4);
uint16_t sc_eeprom_hwrx;
struct upgt_lmac_freq3 sc_eeprom_freq3[IEEE80211_CHAN_MAX];
struct upgt_lmac_freq4 sc_eeprom_freq4[IEEE80211_CHAN_MAX][8];