aboutsummaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2009-11-23 20:58:06 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2009-12-18 13:30:47 -0800
commitd66f16e8a63d1f2198bc2cd8e6bd91b5378fca20 (patch)
tree91171ba97bfe5722d76da0c2d52284ee421590e9 /drivers
parent4a4e3688bd53ac0bb5d40d33a666e9e343da562b (diff)
ssb: Fix range check in sprom write
commit e33761e6f23881de9f3ee77cc2204ab2e26f3d9a upstream. The range check in the sprom image parser hex2sprom() is broken. One sprom word is 4 hex characters. This fixes the check and also adds much better sanity checks to the code. We better make sure the image is OK by doing some sanity checks to avoid bricking the device by accident. Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/ssb/sprom.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c
index 3668edb3931..17471a7155c 100644
--- a/drivers/ssb/sprom.c
+++ b/drivers/ssb/sprom.c
@@ -13,6 +13,8 @@
#include "ssb_private.h"
+#include <linux/ctype.h>
+
static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len,
size_t sprom_size_words)
@@ -30,17 +32,27 @@ static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len,
static int hex2sprom(u16 *sprom, const char *dump, size_t len,
size_t sprom_size_words)
{
- char tmp[5] = { 0 };
- int cnt = 0;
+ char c, tmp[5] = { 0 };
+ int err, cnt = 0;
unsigned long parsed;
- if (len < sprom_size_words * 2)
+ /* Strip whitespace at the end. */
+ while (len) {
+ c = dump[len - 1];
+ if (!isspace(c) && c != '\0')
+ break;
+ len--;
+ }
+ /* Length must match exactly. */
+ if (len != sprom_size_words * 4)
return -EINVAL;
while (cnt < sprom_size_words) {
memcpy(tmp, dump, 4);
dump += 4;
- parsed = simple_strtoul(tmp, NULL, 16);
+ err = strict_strtoul(tmp, 16, &parsed);
+ if (err)
+ return err;
sprom[cnt++] = swab16((u16)parsed);
}