matthieu castet wrote:
Hi,
here the corrected version of ueagle-atm.
The comments of Adrew Morton and Greg KH have been applied.
We also fix a bug in the check_dsp routine (reported on our mailling
list) and kill some unsued code.
Signed-off-by: Matthieu CASTET <[email protected]>
Could you add this fix ?
More care on loading firmware, take into account fw->size can't be zero.
thanks
Matthieu
Signed-off-by: Matthieu CASTET <[email protected]>
--- linux-2.6.14/drivers/usb/atm/ueagle-atm.c (révision 175)
+++ linux-2.6.14b/drivers/usb/atm/ueagle-atm.c (copie de travail)
@@ -426,14 +426,14 @@
pfw = fw_entry->data;
size = fw_entry->size;
+ if (size < 4)
+ goto err_fw_corrupted;
crc = FW_GET_LONG(pfw);
pfw += 4;
size -= 4;
- if (crc32_be(0, pfw, size) != crc) {
- uea_err(usb, "firmware is corrupted\n");
- goto err;
- }
+ if (crc32_be(0, pfw, size) != crc)
+ goto err_fw_corrupted;
/*
* Start to upload formware : send reset
@@ -446,9 +446,14 @@
goto err;
}
- while (size > 0) {
+ while (size > 3) {
u8 len = FW_GET_BYTE(pfw);
u16 add = FW_GET_WORD(pfw + 1);
+
+ size -= len + 3;
+ if (size < 0)
+ goto err_fw_corrupted;
+
ret = uea_send_modem_cmd(usb, add, len, pfw + 3);
if (ret < 0) {
uea_err(usb, "uploading firmware data failed "
@@ -456,9 +461,11 @@
goto err;
}
pfw += len + 3;
- size -= len + 3;
}
+ if (size != 0)
+ goto err_fw_corrupted;
+
/*
* Tell the modem we finish : de-assert reset
*/
@@ -469,6 +476,11 @@
else
uea_info(usb, "firmware uploaded\n");
+ uea_leaves(usb);
+ return;
+
+err_fw_corrupted:
+ uea_err(usb, "firmware is corrupted\n");
err:
uea_leaves(usb);
}
@@ -522,10 +534,6 @@
u32 pageoffset;
unsigned int i, j, p, pp;
- /* enough space for pagecount? */
- if (len < 1)
- return 1;
-
pagecount = FW_GET_BYTE(dsp);
p = 1;
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]