Commit 835df183 authored by Kenny Hsu's avatar Kenny Hsu Committed by John W. Linville

iwlwifi: add range checking in tm sram read command

The size of sram may alter according to ucode type.
Retrieve the maximum sram size by current ucode
type for range checking to prevent wrong data access.
Signed-off-by: default avatarKenny Hsu <kenny.hsu@intel.com>
Signed-off-by: default avatarWey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 158969a2
...@@ -680,7 +680,7 @@ static int iwl_testmode_ownership(struct ieee80211_hw *hw, struct nlattr **tb) ...@@ -680,7 +680,7 @@ static int iwl_testmode_ownership(struct ieee80211_hw *hw, struct nlattr **tb)
static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb) static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb)
{ {
struct iwl_priv *priv = hw->priv; struct iwl_priv *priv = hw->priv;
u32 base, ofs, size; u32 base, ofs, size, maxsize;
if (priv->testmode_sram.sram_readed) if (priv->testmode_sram.sram_readed)
return -EBUSY; return -EBUSY;
...@@ -695,6 +695,27 @@ static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb) ...@@ -695,6 +695,27 @@ static int iwl_testmode_sram(struct ieee80211_hw *hw, struct nlattr **tb)
return -ENOMSG; return -ENOMSG;
} }
size = nla_get_u32(tb[IWL_TM_ATTR_SRAM_SIZE]); size = nla_get_u32(tb[IWL_TM_ATTR_SRAM_SIZE]);
switch (priv->ucode_type) {
case IWL_UCODE_REGULAR:
maxsize = trans(priv)->ucode_rt.data.len;
break;
case IWL_UCODE_INIT:
maxsize = trans(priv)->ucode_init.data.len;
break;
case IWL_UCODE_WOWLAN:
maxsize = trans(priv)->ucode_wowlan.data.len;
break;
case IWL_UCODE_NONE:
IWL_DEBUG_INFO(priv, "Error, uCode does not been loaded\n");
return -ENOSYS;
default:
IWL_DEBUG_INFO(priv, "Error, unsupported uCode type\n");
return -ENOSYS;
}
if ((ofs + size) > maxsize) {
IWL_DEBUG_INFO(priv, "Invalid offset/size: out of range\n");
return -EINVAL;
}
priv->testmode_sram.buff_size = (size / 4) * 4; priv->testmode_sram.buff_size = (size / 4) * 4;
priv->testmode_sram.buff_addr = priv->testmode_sram.buff_addr =
kmalloc(priv->testmode_sram.buff_size, GFP_KERNEL); kmalloc(priv->testmode_sram.buff_size, GFP_KERNEL);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment