From owner-svn-src-stable@FreeBSD.ORG Thu Feb 28 16:36:12 2013 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id E92682C7; Thu, 28 Feb 2013 16:36:12 +0000 (UTC) (envelope-from hselasky@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id DB445FF1; Thu, 28 Feb 2013 16:36:12 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r1SGaCqF063145; Thu, 28 Feb 2013 16:36:12 GMT (envelope-from hselasky@svn.freebsd.org) Received: (from hselasky@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r1SGaCDF063143; Thu, 28 Feb 2013 16:36:12 GMT (envelope-from hselasky@svn.freebsd.org) Message-Id: <201302281636.r1SGaCDF063143@svn.freebsd.org> From: Hans Petter Selasky Date: Thu, 28 Feb 2013 16:36:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r247471 - stable/8/sys/dev/usb/wlan X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2013 16:36:13 -0000 Author: hselasky Date: Thu Feb 28 16:36:12 2013 New Revision: 247471 URL: http://svnweb.freebsd.org/changeset/base/247471 Log: MFC r246944: Fix bad EEPROM parsing code. Modified: stable/8/sys/dev/usb/wlan/if_upgt.c stable/8/sys/dev/usb/wlan/if_upgtvar.h Directory Properties: stable/8/sys/ (props changed) stable/8/sys/dev/ (props changed) stable/8/sys/dev/usb/ (props changed) Modified: stable/8/sys/dev/usb/wlan/if_upgt.c ============================================================================== --- stable/8/sys/dev/usb/wlan/if_upgt.c Thu Feb 28 16:32:36 2013 (r247470) +++ stable/8/sys/dev/usb/wlan/if_upgt.c Thu Feb 28 16:36:12 2013 (r247471) @@ -1122,12 +1122,23 @@ upgt_eeprom_parse(struct upgt_softc *sc) (sizeof(struct upgt_eeprom_header) + preamble_len)); while (!option_end) { + + /* sanity check */ + if (eeprom_option >= (struct upgt_eeprom_option *) + (sc->sc_eeprom + UPGT_EEPROM_SIZE)) { + return (EINVAL); + } + /* the eeprom option length is stored in words */ option_len = (le16toh(eeprom_option->len) - 1) * sizeof(uint16_t); option_type = le16toh(eeprom_option->type); + /* sanity check */ + if (option_len == 0 || option_len >= UPGT_EEPROM_SIZE) + return (EINVAL); + switch (option_type) { case UPGT_EEPROM_TYPE_NAME: DPRINTF(sc, UPGT_DEBUG_FW, @@ -1198,7 +1209,6 @@ upgt_eeprom_parse(struct upgt_softc *sc) eeprom_option = (struct upgt_eeprom_option *) (eeprom_option->data + option_len); } - return (0); } @@ -1207,7 +1217,9 @@ upgt_eeprom_parse_freq3(struct upgt_soft { struct upgt_eeprom_freq3_header *freq3_header; struct upgt_lmac_freq3 *freq3; - int i, elements, flags; + int i; + int elements; + int flags; unsigned channel; freq3_header = (struct upgt_eeprom_freq3_header *)data; @@ -1219,6 +1231,9 @@ upgt_eeprom_parse_freq3(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d\n", flags, elements); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq3[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq3[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) @@ -1237,7 +1252,11 @@ upgt_eeprom_parse_freq4(struct upgt_soft struct upgt_eeprom_freq4_header *freq4_header; struct upgt_eeprom_freq4_1 *freq4_1; struct upgt_eeprom_freq4_2 *freq4_2; - int i, j, elements, settings, flags; + int i; + int j; + int elements; + int settings; + int flags; unsigned channel; freq4_header = (struct upgt_eeprom_freq4_header *)data; @@ -1252,6 +1271,9 @@ upgt_eeprom_parse_freq4(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "flags=0x%02x elements=%d settings=%d\n", flags, elements, settings); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq4_1[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq4_1[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) @@ -1272,7 +1294,8 @@ void upgt_eeprom_parse_freq6(struct upgt_softc *sc, uint8_t *data, int len) { struct upgt_lmac_freq6 *freq6; - int i, elements; + int i; + int elements; unsigned channel; freq6 = (struct upgt_lmac_freq6 *)data; @@ -1280,6 +1303,9 @@ upgt_eeprom_parse_freq6(struct upgt_soft DPRINTF(sc, UPGT_DEBUG_FW, "elements=%d\n", elements); + if (elements >= (int)(UPGT_EEPROM_SIZE / sizeof(freq6[0]))) + return; + for (i = 0; i < elements; i++) { channel = ieee80211_mhz2ieee(le16toh(freq6[i].freq), 0); if (channel >= IEEE80211_CHAN_MAX) Modified: stable/8/sys/dev/usb/wlan/if_upgtvar.h ============================================================================== --- stable/8/sys/dev/usb/wlan/if_upgtvar.h Thu Feb 28 16:32:36 2013 (r247470) +++ stable/8/sys/dev/usb/wlan/if_upgtvar.h Thu Feb 28 16:36:12 2013 (r247471) @@ -451,7 +451,7 @@ struct upgt_softc { struct upgt_memory sc_memory; /* data which we found in the EEPROM */ - uint8_t sc_eeprom[UPGT_EEPROM_SIZE]; + uint8_t sc_eeprom[2 * UPGT_EEPROM_SIZE] __aligned(4); uint16_t sc_eeprom_hwrx; struct upgt_lmac_freq3 sc_eeprom_freq3[IEEE80211_CHAN_MAX]; struct upgt_lmac_freq4 sc_eeprom_freq4[IEEE80211_CHAN_MAX][8];