rtlwifi: rtl8192se firmware load can overflow target buffer
Define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE which represents the maximimum possible firmware file size. Use it in the definition of the buffer which receives the firmware file data. Set RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE closer to the actual size of the firmware file, e.g., 90000 (down from hard coded 164000). The current size of rtlwifi/rtl8192sefw.bin is 88856. Set max_fw_size to RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE for the size limit check. Fix the error case where max_fw_size is not cleared if the size limit check fails. Cc: Chaoming Li <chaoming_li@realsil.com.cn> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
52e1409f72
commit
3fccdcf509
2 changed files with 4 additions and 2 deletions
|
@ -30,6 +30,7 @@
|
|||
#define __REALTEK_FIRMWARE92S_H__
|
||||
|
||||
#define RTL8190_MAX_FIRMWARE_CODE_SIZE 64000
|
||||
#define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE 90000
|
||||
#define RTL8190_CPU_START_OFFSET 0x80
|
||||
/* Firmware Local buffer size. 64k */
|
||||
#define MAX_FIRMWARE_CODE_SIZE 0xFF00
|
||||
|
@ -217,7 +218,7 @@ struct rt_firmware {
|
|||
u8 fw_emem[RTL8190_MAX_FIRMWARE_CODE_SIZE];
|
||||
u32 fw_imem_len;
|
||||
u32 fw_emem_len;
|
||||
u8 sz_fw_tmpbuffer[164000];
|
||||
u8 sz_fw_tmpbuffer[RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE];
|
||||
u32 sz_fw_tmpbufferlen;
|
||||
u16 cmdpacket_fragthresold;
|
||||
};
|
||||
|
|
|
@ -108,6 +108,7 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
|
|||
if (firmware->size > rtlpriv->max_fw_size) {
|
||||
RT_TRACE(rtlpriv, COMP_ERR, DBG_EMERG,
|
||||
"Firmware is too big!\n");
|
||||
rtlpriv->max_fw_size = 0;
|
||||
release_firmware(firmware);
|
||||
return;
|
||||
}
|
||||
|
@ -232,7 +233,7 @@ static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
|
|||
return 1;
|
||||
}
|
||||
|
||||
rtlpriv->max_fw_size = sizeof(struct rt_firmware);
|
||||
rtlpriv->max_fw_size = RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE;
|
||||
|
||||
pr_info("Driver for Realtek RTL8192SE/RTL8191SE\n"
|
||||
"Loading firmware %s\n", rtlpriv->cfg->fw_name);
|
||||
|
|
Loading…
Reference in a new issue