orinoco: prevent accessing memory outside the firmware image
Do this by indicating the end of the appropriate regions of memory.
Note that MAX_PDA_SIZE should only apply to the PDA block read from
flash/EEPROM, and has been erronously applied to the pdr elements.
Remove the macro, and use the actual PDA size passed down by the caller.
We also fix up some of the types used, marking as much as possible
const, and using void* for the end pointers.
Signed-off-by: David Kilroy <kilroyd@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
diff --git a/drivers/net/wireless/orinoco/fw.c b/drivers/net/wireless/orinoco/fw.c
index 9f163fe..e7abb45 100644
--- a/drivers/net/wireless/orinoco/fw.c
+++ b/drivers/net/wireless/orinoco/fw.c
@@ -83,7 +83,7 @@
const struct firmware *fw_entry;
const struct orinoco_fw_header *hdr;
const unsigned char *first_block;
- const unsigned char *end;
+ const void *end;
const char *firmware;
const char *fw_err;
struct net_device *dev = priv->ndev;
@@ -152,7 +152,8 @@
le16_to_cpu(hdr->headersize) +
le32_to_cpu(hdr->pdr_offset));
- err = hermes_apply_pda_with_defaults(hw, first_block, pda);
+ err = hermes_apply_pda_with_defaults(hw, first_block, end, pda,
+ &pda[fw->pda_size / sizeof(*pda)]);
printk(KERN_DEBUG "%s: Apply PDA returned %d\n", dev->name, err);
if (err)
goto abort;
@@ -184,7 +185,7 @@
*/
static int
symbol_dl_image(struct orinoco_private *priv, const struct fw_info *fw,
- const unsigned char *image, const unsigned char *end,
+ const unsigned char *image, const void *end,
int secondary)
{
hermes_t *hw = &priv->hw;
@@ -225,9 +226,10 @@
/* Write the PDA to the adapter */
if (secondary) {
- size_t len = hermes_blocks_length(first_block);
+ size_t len = hermes_blocks_length(first_block, end);
ptr = first_block + len;
- ret = hermes_apply_pda(hw, ptr, pda);
+ ret = hermes_apply_pda(hw, ptr, end, pda,
+ &pda[fw->pda_size / sizeof(*pda)]);
kfree(pda);
if (ret)
return ret;