From 3d0ccb5eb2cac88760581cff2e8aa6fbd98ac91a Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 29 Feb 2008 23:28:25 +0100 Subject: [PATCH] --- yaml --- r: 86914 b: refs/heads/master c: c2f2d3a06f8b628d444cf4f396d6c6ddd47e1d1f h: refs/heads/master v: v3 --- [refs] | 2 +- trunk/drivers/net/wireless/p54common.c | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/[refs] b/[refs] index e64d1680fecf..9b3be8c6a753 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 8c28293f5514f64ba064bac7946aebeda4a663c6 +refs/heads/master: c2f2d3a06f8b628d444cf4f396d6c6ddd47e1d1f diff --git a/trunk/drivers/net/wireless/p54common.c b/trunk/drivers/net/wireless/p54common.c index 56aabec73c20..d191e055a788 100644 --- a/trunk/drivers/net/wireless/p54common.c +++ b/trunk/drivers/net/wireless/p54common.c @@ -166,18 +166,23 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) struct p54_common *priv = dev->priv; struct eeprom_pda_wrap *wrap = NULL; struct pda_entry *entry; - int i = 0; unsigned int data_len, entry_len; void *tmp; int err; + u8 *end = (u8 *)eeprom + len; wrap = (struct eeprom_pda_wrap *) eeprom; entry = (void *)wrap->data + le16_to_cpu(wrap->len); - i += 2; - i += le16_to_cpu(entry->len)*2; - while (i < len) { + + /* verify that at least the entry length/code fits */ + while ((u8 *)entry <= end - sizeof(*entry)) { entry_len = le16_to_cpu(entry->len); data_len = ((entry_len - 1) << 1); + + /* abort if entry exceeds whole structure */ + if ((u8 *)entry + sizeof(*entry) + data_len > end) + break; + switch (le16_to_cpu(entry->code)) { case PDR_MAC_ADDRESS: SET_IEEE80211_PERM_ADDR(dev, entry->data); @@ -249,13 +254,12 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) priv->version = *(u8 *)(entry->data + 1); break; case PDR_END: - i = len; + /* make it overrun */ + entry_len = len; break; } entry = (void *)entry + (entry_len + 1)*2; - i += 2; - i += entry_len*2; } if (!priv->iq_autocal || !priv->output_limit || !priv->curve_data) {