The validation of the received EEPROM data uses struct firmware's size
field, which contains the size in bytes. ath9k_platform_data's
eeprom_data field however is an u16 array with 2048 elements.
Using a simple sizeof(pdata->eeprom_data) returns the array size (2048
in our case). The actual maximum size however is 2048 * sizeof(u16), or
in other words 4096 bytes (the kernel's FIELD_SIZEOF macro does the
same calculation, but is easier to read).
Signed-off-by: Martin Blumenstingl <martin.blumensti...@googlemail.com>
---
target/linux/generic/files/drivers/misc/owl-loader.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/target/linux/generic/files/drivers/misc/owl-loader.c
b/target/linux/generic/files/drivers/misc/owl-loader.c
index 30340da..6cc8e40 100644
--- a/target/linux/generic/files/drivers/misc/owl-loader.c
+++ b/target/linux/generic/files/drivers/misc/owl-loader.c
@@ -32,6 +32,9 @@ struct owl_ctx {
#define EEPROM_FILENAME_LEN 100
+#define MAX_EEPROM_SIZE FIELD_SIZEOF(struct ath9k_platform_data, eeprom_data)
+#define MIN_EEPROM_SIZE 512
+
#define AR5416_EEPROM_MAGIC 0xa55a
static int ath9k_pci_fixup(struct pci_dev *pdev, const u16 *cal_data,
@@ -124,7 +127,7 @@ static void owl_fw_cb(const struct firmware *fw, void
*context)
}
/* also note that we are doing *u16 operations on the file */
- if (fw->size > sizeof(pdata->eeprom_data) || fw->size < 0x200 ||
+ if (fw->size > MAX_EEPROM_SIZE || fw->size < MIN_EEPROM_SIZE ||
(fw->size & 1) == 1) {
dev_err(&pdev->dev, "eeprom file has an invalid size.\n");
goto release;
--
2.10.0
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
