[PATCH 2/3] rt2x00: Restrict firmware file lengths

Ivo van Doorn <ivdoorn@xxxxxxxxx> · Fri, 23 Jan 2009 17:03:24 +0100

Add extra security to the drivers for firmware loading,
check the firmware file length before uploading it to
the hardware. Incorrect lengths might indicate a firmware
upgrade (which is not yet supported by the driver) or
otherwise incorrect firmware.

Signed-off-by: Ivo van Doorn <IvDoorn@xxxxxxxxx>
---
 drivers/net/wireless/rt2x00/rt61pci.c |    5 +++++
 drivers/net/wireless/rt2x00/rt73usb.c |    5 +++++
 2 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/drivers/net/wireless/rt2x00/rt61pci.c b/drivers/net/wireless/rt2x00/rt61pci.c
index 3a7ecca..d81a8de 100644
--- a/drivers/net/wireless/rt2x00/rt61pci.c
+++ b/drivers/net/wireless/rt2x00/rt61pci.c
@@ -1199,6 +1199,11 @@ static int rt61pci_load_firmware(struct rt2x00_dev *rt2x00dev, const void *data,
 	int i;
 	u32 reg;
 
+	if (len != 8192) {
+		ERROR(rt2x00dev, "Invalid firmware file length (len=%zu)\n", len);
+		return -ENOENT;
+	}
+
 	/*
 	 * Wait for stable hardware.
 	 */
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 60c43c1..f854551 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -1085,6 +1085,11 @@ static int rt73usb_load_firmware(struct rt2x00_dev *rt2x00dev, const void *data,
 	int status;
 	u32 reg;
 
+	if (len != 2048) {
+		ERROR(rt2x00dev, "Invalid firmware file length (len=%zu)\n", len);
+		return -ENOENT;
+	}
+
 	/*
 	 * Wait for stable hardware.
 	 */
-- 
1.5.6.1

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




