From owner-svn-src-head@freebsd.org Thu Jun 2 04:53:29 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCE67B677F8; Thu, 2 Jun 2016 04:53:29 +0000 (UTC) (envelope-from adrian@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8DC221A4E; Thu, 2 Jun 2016 04:53:29 +0000 (UTC) (envelope-from adrian@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u524rSPa008207; Thu, 2 Jun 2016 04:53:28 GMT (envelope-from adrian@FreeBSD.org) Received: (from adrian@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u524rS0s008205; Thu, 2 Jun 2016 04:53:28 GMT (envelope-from adrian@FreeBSD.org) Message-Id: <201606020453.u524rS0s008205@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: adrian set sender to adrian@FreeBSD.org using -f From: Adrian Chadd Date: Thu, 2 Jun 2016 04:53:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301189 - head/sys/dev/iwm X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2016 04:53:29 -0000 Author: adrian Date: Thu Jun 2 04:53:28 2016 New Revision: 301189 URL: https://svnweb.freebsd.org/changeset/base/301189 Log: [iwm] Use IWM_MAX_CMD_PAYLOAD_SIZE to improve command length checks. Taken-From: OpenBSD (parts of if_iwm.c r1.57 and if_iwmreg.h r1.10) Obtained from: DragonflyBSD b70c1eaad06257c5c7f4d8110d21642ebec14f42 Modified: head/sys/dev/iwm/if_iwm_util.c head/sys/dev/iwm/if_iwmreg.h Modified: head/sys/dev/iwm/if_iwm_util.c ============================================================================== --- head/sys/dev/iwm/if_iwm_util.c Thu Jun 2 04:42:45 2016 (r301188) +++ head/sys/dev/iwm/if_iwm_util.c Thu Jun 2 04:53:28 2016 (r301189) @@ -224,7 +224,10 @@ iwm_send_cmd(struct iwm_softc *sc, struc "large command paylen=%u len0=%u\n", paylen, hcmd->len[0]); /* Command is too large */ - if (sizeof(cmd->hdr) + paylen > IWM_RBUF_SIZE) { + if (paylen > IWM_MAX_CMD_PAYLOAD_SIZE) { + device_printf(sc->sc_dev, + "firmware command too long (%zd bytes)\n", + paylen + sizeof(cmd->hdr)); error = EINVAL; goto out; } @@ -269,7 +272,7 @@ iwm_send_cmd(struct iwm_softc *sc, struc (unsigned long) (hcmd->len[0] + hcmd->len[1] + sizeof(cmd->hdr)), async ? " (async)" : ""); - if (hcmd->len[0] > sizeof(cmd->data)) { + if (paylen > sizeof(cmd->data)) { bus_dmamap_sync(ring->data_dmat, data->map, BUS_DMASYNC_PREWRITE); } else { Modified: head/sys/dev/iwm/if_iwmreg.h ============================================================================== --- head/sys/dev/iwm/if_iwmreg.h Thu Jun 2 04:42:45 2016 (r301188) +++ head/sys/dev/iwm/if_iwmreg.h Thu Jun 2 04:53:28 2016 (r301189) @@ -5243,6 +5243,7 @@ enum iwm_power_scheme { }; #define IWM_DEF_CMD_PAYLOAD_SIZE 320 +#define IWM_MAX_CMD_PAYLOAD_SIZE ((4096 - 4) - sizeof(struct iwm_cmd_header)) #define IWM_CMD_FAILED_MSK 0x40 struct iwm_device_cmd {