rt2500usb_validate_eeprom() read data up to 0x6e (EEPROM_CALIBRATE_OFFSET)
but only 0x6a bytes has been allocated and read from the eeprom.
This lead to out-of-bound accesses and invalid values for
EEPROM_BBPTUNE_R17 and EEPROM_CALIBRATE_OFFSET.
Change the EEPROM_SIZE to 0x6e in order to retrieve all the fields.
Tested with a rt2570 device.
Signed-off-by: Adrien Schildknecht <[email protected]>
---
drivers/net/wireless/rt2x00/rt2500usb.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/rt2x00/rt2500usb.h b/drivers/net/wireless/rt2x00/rt2500usb.h
index afba073..78cc035 100644
--- a/drivers/net/wireless/rt2x00/rt2500usb.h
+++ b/drivers/net/wireless/rt2x00/rt2500usb.h
@@ -54,7 +54,7 @@
#define CSR_REG_BASE 0x0400
#define CSR_REG_SIZE 0x0100
#define EEPROM_BASE 0x0000
-#define EEPROM_SIZE 0x006a
+#define EEPROM_SIZE 0x006e
#define BBP_BASE 0x0000
#define BBP_SIZE 0x0060
#define RF_BASE 0x0004
--
2.5.0
> rt2500usb_validate_eeprom() read data up to 0x6e (EEPROM_CALIBRATE_OFFSET)
> but only 0x6a bytes has been allocated and read from the eeprom.
>
> This lead to out-of-bound accesses and invalid values for
> EEPROM_BBPTUNE_R17 and EEPROM_CALIBRATE_OFFSET.
>
> Change the EEPROM_SIZE to 0x6e in order to retrieve all the fields.
>
> Tested with a rt2570 device.
>
> Signed-off-by: Adrien Schildknecht <[email protected]>
> Acked-by: Stanislaw Gruszka <[email protected]>
Thanks, applied to wireless-drivers-next.git.
Kalle Valo
On Tue, Aug 11, 2015 at 12:25:53AM +0200, Adrien Schildknecht wrote:
> rt2500usb_validate_eeprom() read data up to 0x6e (EEPROM_CALIBRATE_OFFSET)
> but only 0x6a bytes has been allocated and read from the eeprom.
>
> This lead to out-of-bound accesses and invalid values for
> EEPROM_BBPTUNE_R17 and EEPROM_CALIBRATE_OFFSET.
>
> Change the EEPROM_SIZE to 0x6e in order to retrieve all the fields.
>
> Tested with a rt2570 device.
>
> Signed-off-by: Adrien Schildknecht <[email protected]>
Acked-by: Stanislaw Gruszka <[email protected]>