aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormatthieu castet <castet.matthieu@free.fr>2005-11-08 00:02:30 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2006-01-04 13:48:29 -0800
commit8d7802ed3c617120863f84346638d1cf1c96137b (patch)
tree008b4724dd19719a3541651a8e68a250a5ecf587
parentb72458a80c75cab832248f536412f386e20a93a0 (diff)
[PATCH] USB: Eagle and ADI 930 usb adsl modem driver fix
More care on loading firmware, take into account fw->size can't be zero. Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/atm/ueagle-atm.c28
1 files changed, 18 insertions, 10 deletions
diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
index 3e2475c666a..be08e16df09 100644
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -426,14 +426,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
pfw = fw_entry->data;
size = fw_entry->size;
+ if (size < 4)
+ goto err_fw_corrupted;
crc = FW_GET_LONG(pfw);
pfw += 4;
size -= 4;
- if (crc32_be(0, pfw, size) != crc) {
- uea_err(usb, "firmware is corrupted\n");
- goto err;
- }
+ if (crc32_be(0, pfw, size) != crc)
+ goto err_fw_corrupted;
/*
* Start to upload formware : send reset
@@ -446,9 +446,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
goto err;
}
- while (size > 0) {
+ while (size > 3) {
u8 len = FW_GET_BYTE(pfw);
u16 add = FW_GET_WORD(pfw + 1);
+
+ size -= len + 3;
+ if (size < 0)
+ goto err_fw_corrupted;
+
ret = uea_send_modem_cmd(usb, add, len, pfw + 3);
if (ret < 0) {
uea_err(usb, "uploading firmware data failed "
@@ -456,9 +461,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
goto err;
}
pfw += len + 3;
- size -= len + 3;
}
+ if (size != 0)
+ goto err_fw_corrupted;
+
/*
* Tell the modem we finish : de-assert reset
*/
@@ -469,6 +476,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
else
uea_info(usb, "firmware uploaded\n");
+ uea_leaves(usb);
+ return;
+
+err_fw_corrupted:
+ uea_err(usb, "firmware is corrupted\n");
err:
uea_leaves(usb);
}
@@ -522,10 +534,6 @@ static int check_dsp(u8 *dsp, unsigned int len)
u32 pageoffset;
unsigned int i, j, p, pp;
- /* enough space for pagecount? */
- if (len < 1)
- return 1;
-
pagecount = FW_GET_BYTE(dsp);
p = 1;