From patchwork Wed Sep 22 07:53:13 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ido Yariv X-Patchwork-Id: 198652 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o8M7rMc5011940 for ; Wed, 22 Sep 2010 07:53:22 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751989Ab0IVHxV (ORCPT ); Wed, 22 Sep 2010 03:53:21 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:33487 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751665Ab0IVHxU (ORCPT ); Wed, 22 Sep 2010 03:53:20 -0400 Received: by wwi17 with SMTP id 17so376525wwi.1 for ; Wed, 22 Sep 2010 00:53:19 -0700 (PDT) Received: by 10.216.175.12 with SMTP id y12mr6605465wel.61.1285141999284; Wed, 22 Sep 2010 00:53:19 -0700 (PDT) Received: from localhost.localdomain (109-186-33-156.bb.netvision.net.il [109.186.33.156]) by mx.google.com with ESMTPS id p45sm6621880weq.45.2010.09.22.00.53.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 22 Sep 2010 00:53:18 -0700 (PDT) From: Ido Yariv To: linux-wireless@vger.kernel.org Cc: Luciano Coelho , Ido Yariv Subject: [PATCH] wl1271: Fix overflow in wl1271_boot_upload_nvs Date: Wed, 22 Sep 2010 09:53:13 +0200 Message-Id: <1285141993-3772-1-git-send-email-ido@wizery.com> X-Mailer: git-send-email 1.7.0.4 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Wed, 22 Sep 2010 07:53:22 +0000 (UTC) diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c index fc21db8..e5a7f04 100644 --- a/drivers/net/wireless/wl12xx/wl1271_boot.c +++ b/drivers/net/wireless/wl12xx/wl1271_boot.c @@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) /* * We've reached the first zero length, the first NVS table - * is 7 bytes further. + * is located at an aligned offset which is at least 7 bytes further. */ - nvs_ptr += 7; + nvs_ptr = (u8 *)wl->nvs->nvs + + ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4); nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs; - nvs_len = ALIGN(nvs_len, 4); /* FIXME: The driver sets the partition here, but this is not needed, since it sets to the same one as currently in use */ @@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) wl1271_set_partition(wl, &part_table[PART_WORK]); /* Copy the NVS tables to a new block to ensure alignment */ - /* FIXME: We jump 3 more bytes before uploading the NVS. It seems - that our NVS files have three extra zeros here. I'm not sure whether - the problem is in our NVS generation or we should really jumpt these - 3 bytes here */ - nvs_ptr += 3; - - nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if - (!nvs_aligned) return -ENOMEM; + nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); + if (!nvs_aligned) + return -ENOMEM; /* And finally we upload the NVS tables */ /* FIXME: In wl1271, we upload everything at once.