>From 7e82b745f7f6b48b95d111eef4c933cea1c15f9e Mon Sep 17 00:00:00 2001 From: Ido Yariv <[email protected]> Date: Wed, 22 Sep 2010 09:53:13 +0200 Subject: [PATCH 10/26] wl1271: Fix overflow in wl1271_boot_upload_nvs
Due to miscalculation of nvs_len, excessive data was sent to the firmware. Fix this by first setting nvs_ptr to point to the first NVS table, and computing the total size of all NVS tables accordingly. Signed-off-by: Ido Yariv <[email protected]> Tested-By: Tuomas Katila <[email protected]> Acked-by: Luciano Coelho <[email protected]> Signed-off-by: John W. Linville <[email protected]> Signed-off-by: Claude Brouat <[email protected]> --- drivers/net/wireless/wl12xx/wl1271_boot.c | 17 ++++++----------- 1 files changed, 6 insertions(+), 11 deletions(-) diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c index 23bd8e8..4151386 100644 --- a/drivers/net/wireless/wl12xx/wl1271_boot.c +++ b/drivers/net/wireless/wl12xx/wl1271_boot.c @@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) /* * We've reached the first zero length, the first NVS table - * is 7 bytes further. + * is located at an aligned offset which is at least 7 bytes further. */ - nvs_ptr += 7; + nvs_ptr = (u8 *)wl->nvs->nvs + + ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4); nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs; - nvs_len = ALIGN(nvs_len, 4); /* FIXME: The driver sets the partition here, but this is not needed, since it sets to the same one as currently in use */ @@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl) wl1271_set_partition(wl, &part_table[PART_WORK]); /* Copy the NVS tables to a new block to ensure alignment */ - /* FIXME: We jump 3 more bytes before uploading the NVS. It seems - that our NVS files have three extra zeros here. I'm not sure whether - the problem is in our NVS generation or we should really jumpt these - 3 bytes here */ - nvs_ptr += 3; - - nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if - (!nvs_aligned) return -ENOMEM; + nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); + if (!nvs_aligned) + return -ENOMEM; /* And finally we upload the NVS tables */ /* FIXME: In wl1271, we upload everything at once. -- 1.6.3.3 Claude BROUAT UMG/MIPE/WSIV System Integrator Office: +33 (0)1 72 21 04 54 mailto: mailto:[email protected] Intel Corp. SAS 134, av du Général Eisenhower BP 73586 31100 TOULOUSE France --------------------------------------------------------------------- Intel Corporation SAS (French simplified joint stock company) Registered headquarters: "Les Montalets"- 2, rue de Paris, 92196 Meudon Cedex, France Registration Number: 302 456 199 R.C.S. NANTERRE Capital: 4,572,000 Euros This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
0010-wl1271-Fix-overflow-in-wl1271_boot_upload_nvs.patch
Description: 0010-wl1271-Fix-overflow-in-wl1271_boot_upload_nvs.patch
_______________________________________________ Meego-kernel mailing list [email protected] http://lists.meego.com/listinfo/meego-kernel
