Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763474AbZLQA52 (ORCPT ); Wed, 16 Dec 2009 19:57:28 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1761986AbZLQA5N (ORCPT ); Wed, 16 Dec 2009 19:57:13 -0500 Received: from kroah.org ([198.145.64.141]:44485 "EHLO coco.kroah.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759235AbZLQAyi (ORCPT ); Wed, 16 Dec 2009 19:54:38 -0500 X-Mailbox-Line: From gregkh@mini.kroah.org Wed Dec 16 16:47:08 2009 Message-Id: <20091217004707.899625984@mini.kroah.org> User-Agent: quilt/0.48-1 Date: Wed, 16 Dec 2009 16:45:58 -0800 From: Greg KH To: linux-kernel@vger.kernel.org, stable@kernel.org Cc: stable-review@kernel.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Michael Buesch , "John W. Linville" Subject: [07/18] ssb: Fix range check in sprom write In-Reply-To: <20091217005306.GA6230@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1974 Lines: 71 2.6.27-stable review patch. If anyone has any objections, please let us know. ------------------ From: Michael Buesch commit e33761e6f23881de9f3ee77cc2204ab2e26f3d9a upstream. The range check in the sprom image parser hex2sprom() is broken. One sprom word is 4 hex characters. This fixes the check and also adds much better sanity checks to the code. We better make sure the image is OK by doing some sanity checks to avoid bricking the device by accident. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- drivers/ssb/sprom.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) --- a/drivers/ssb/sprom.c +++ b/drivers/ssb/sprom.c @@ -13,6 +13,8 @@ #include "ssb_private.h" +#include + static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len, size_t sprom_size_words) @@ -30,17 +32,27 @@ static int sprom2hex(const u16 *sprom, c static int hex2sprom(u16 *sprom, const char *dump, size_t len, size_t sprom_size_words) { - char tmp[5] = { 0 }; - int cnt = 0; + char c, tmp[5] = { 0 }; + int err, cnt = 0; unsigned long parsed; - if (len < sprom_size_words * 2) + /* Strip whitespace at the end. */ + while (len) { + c = dump[len - 1]; + if (!isspace(c) && c != '\0') + break; + len--; + } + /* Length must match exactly. */ + if (len != sprom_size_words * 4) return -EINVAL; while (cnt < sprom_size_words) { memcpy(tmp, dump, 4); dump += 4; - parsed = simple_strtoul(tmp, NULL, 16); + err = strict_strtoul(tmp, 16, &parsed); + if (err) + return err; sprom[cnt++] = swab16((u16)parsed); } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/