diff options
| author |   Dan Carpenter <dan.carpenter@oracle.com> | 2013-03-01 23:28:06 +0300 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-11 09:15:32 -0700 |
| commit | 2c5270ac807e46889fb08c3cf3c65902d0c35bb2 (patch) | |
| tree | 8cc87bce0080428f181873900fcfc26ed4eac16a /drivers/staging/bcm/InterfaceDld.c | |
| parent | Staging: bcm: avoid use-after-free in bcm_char_ioctl() (diff) | |
| download | linux-dev-2c5270ac807e46889fb08c3cf3c65902d0c35bb2.tar.xz linux-dev-2c5270ac807e46889fb08c3cf3c65902d0c35bb2.zip | |
Staging: bcm: potential forever loop verifying firmware
There is an ioctl() to write data to the firmware. After the data
is written, it reads the databack from the firmware and compares
against what the user wanted to write and prints an error message
if it doesn't match.
The problem is that verify process has a forever loop if the
firmware size is not a multiple of 4. I've fixed it by replacing
the bcm compare function with memcmp().
I have chopped out some debugging code in the process.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/bcm/InterfaceDld.c')
| -rw-r--r-- | drivers/staging/bcm/InterfaceDld.c | 32 |
1 files changed, 5 insertions, 27 deletions
diff --git a/drivers/staging/bcm/InterfaceDld.c b/drivers/staging/bcm/InterfaceDld.c index 64ea6edb9dc2..348ad75b340d 100644 --- a/drivers/staging/bcm/InterfaceDld.c +++ b/drivers/staging/bcm/InterfaceDld.c @@ -205,30 +205,6 @@ static int bcm_download_config_file(struct bcm_mini_adapter *Adapter, struct bcm return retval; } -static int bcm_compare_buff_contents(unsigned char *readbackbuff, unsigned char *buff, unsigned int len) -{ - int retval = STATUS_SUCCESS; - struct bcm_mini_adapter *Adapter = GET_BCM_ADAPTER(gblpnetdev); - if ((len-sizeof(unsigned int)) < 4) { - if (memcmp(readbackbuff , buff, len)) - retval = -EINVAL; - } else { - len -= 4; - - while (len) { - if (*(unsigned int *)&readbackbuff[len] != *(unsigned int *)&buff[len]) { - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "Firmware Download is not proper"); - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "Val from Binary %x, Val From Read Back %x ", *(unsigned int *)&buff[len], *(unsigned int*)&readbackbuff[len]); - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "len =%x!!!", len); - retval = -EINVAL; - break; - } - len -= 4; - } - } - return retval; -} - int bcm_ioctl_fw_download(struct bcm_mini_adapter *Adapter, struct bcm_firmware_info *psFwInfo) { int retval = STATUS_SUCCESS; @@ -321,9 +297,11 @@ static INT buffRdbkVerify(struct bcm_mini_adapter *Adapter, PUCHAR mappedbuffer, break; } - retval = bcm_compare_buff_contents(readbackbuff, mappedbuffer, len); - if (STATUS_SUCCESS != retval) - break; + if (memcmp(readbackbuff, mappedbuffer, len) != 0) { + pr_err("%s() failed. The firmware doesn't match what was written", + __func__); + retval = -EIO; + } u32StartingAddress += len; u32FirmwareLength -= len; |