Fix for Bugzilla 21872. New function wl_check_firmwares() checks validity of all firmware images loaded from user space. Signed-off-by: Roland Vossen <rvossen@xxxxxxxxxxxx> --- drivers/staging/brcm80211/sys/wl_mac80211.c | 54 ++++++++++++++++++++++- drivers/staging/brcm80211/sys/wl_ucode.h | 4 ++ drivers/staging/brcm80211/sys/wl_ucode_loader.c | 4 ++ 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/drivers/staging/brcm80211/sys/wl_mac80211.c b/drivers/staging/brcm80211/sys/wl_mac80211.c index 364b349..d41212b 100644 --- a/drivers/staging/brcm80211/sys/wl_mac80211.c +++ b/drivers/staging/brcm80211/sys/wl_mac80211.c @@ -1776,8 +1776,7 @@ static int wl_request_fw(struct wl_info *wl, struct pci_dev *pdev) wl->fw.hdr_num_entries[i])); } wl->fw.fw_cnt = i; - wl_ucode_data_init(wl); - return 0; + return wl_ucode_data_init(wl); } void wl_ucode_free_buf(void *p) @@ -1793,3 +1792,54 @@ static void wl_release_fw(struct wl_info *wl) release_firmware(wl->fw.fw_hdr[i]); } } + + +/* + * checks validity of all firmware images loaded from user space + */ +int wl_check_firmwares(struct wl_info *wl) +{ + int i; + int entry; + int rc = 0; + const struct firmware *fw; + const struct firmware *fw_hdr; + struct wl_fw_hdr *ucode_hdr; + for (i = 0; i < WL_MAX_FW && rc == 0; i++) { + fw = wl->fw.fw_bin[i]; + fw_hdr = wl->fw.fw_hdr[i]; + if (fw == NULL && fw_hdr == NULL) { + break; + } else if (fw == NULL || fw_hdr == NULL) { + WL_ERROR(("%s: invalid bin/hdr fw\n", __func__)); + rc = -EBADF; + } else if (fw_hdr->size % sizeof(struct wl_fw_hdr)) { + WL_ERROR(("%s: non integral fw hdr file size %d/%d\n", + __func__, fw_hdr->size, + sizeof(struct wl_fw_hdr))); + rc = -EBADF; + } else if (fw->size < MIN_FW_SIZE || fw->size > MAX_FW_SIZE) { + WL_ERROR(("%s: out of bounds fw file size %d\n", + __func__, fw->size)); + rc = -EBADF; + } else { + /* check if ucode section overruns firmware image */ + ucode_hdr = (struct wl_fw_hdr *)fw_hdr->data; + for (entry = 0; entry < wl->fw.hdr_num_entries[i] && rc; + entry++, ucode_hdr++) { + if (ucode_hdr->offset + ucode_hdr->len > + fw->size) { + WL_ERROR(("%s: conflicting bin/hdr\n", + __func__)); + rc = -EBADF; + } + } + } + } + if (rc == 0 && wl->fw.fw_cnt != i) { + WL_ERROR(("%s: invalid fw_cnt=%d\n", __func__, wl->fw.fw_cnt)); + rc = -EBADF; + } + return rc; +} + diff --git a/drivers/staging/brcm80211/sys/wl_ucode.h b/drivers/staging/brcm80211/sys/wl_ucode.h index b797ab6..2a0f402 100644 --- a/drivers/staging/brcm80211/sys/wl_ucode.h +++ b/drivers/staging/brcm80211/sys/wl_ucode.h @@ -14,6 +14,9 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#define MIN_FW_SIZE 40000 /* minimum firmware file size in bytes */ +#define MAX_FW_SIZE 150000 + typedef struct d11init { u16 addr; u16 size; @@ -43,3 +46,4 @@ extern int wl_ucode_init_buf(struct wl_info *wl, void **pbuf, unsigned int idx); extern int wl_ucode_init_uint(struct wl_info *wl, unsigned *data, unsigned int idx); extern void wl_ucode_free_buf(void *); +extern int wl_check_firmwares(struct wl_info *wl); diff --git a/drivers/staging/brcm80211/sys/wl_ucode_loader.c b/drivers/staging/brcm80211/sys/wl_ucode_loader.c index acd2472..23e10f3 100644 --- a/drivers/staging/brcm80211/sys/wl_ucode_loader.c +++ b/drivers/staging/brcm80211/sys/wl_ucode_loader.c @@ -39,6 +39,10 @@ u32 *bcm43xx_bomminor; int wl_ucode_data_init(struct wl_info *wl) { + int rc; + rc = wl_check_firmwares(wl); + if (rc < 0) + return rc; wl_ucode_init_buf(wl, (void **)&d11lcn0bsinitvals24, D11LCN0BSINITVALS24); wl_ucode_init_buf(wl, (void **)&d11lcn0initvals24, D11LCN0INITVALS24); -- 1.7.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel