Commit d0ce2d17 authored by Vasanthakumar Thiagarajan's avatar Vasanthakumar Thiagarajan Committed by John W. Linville

ath9k_hw: Fix bug in eeprom data length validation for AR9485

The size of the eeprom data is 1088 bytes for AR9485. But
a sanity check is done against 4K which would result in a
'potential read past the end of the buffer' smatch complaint.
Reported-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarVasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 0207c0c5
...@@ -59,6 +59,8 @@ ...@@ -59,6 +59,8 @@
#define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6)) #define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6))
#define EEPROM_DATA_LEN_9485 1088
static int ar9003_hw_power_interpolate(int32_t x, static int ar9003_hw_power_interpolate(int32_t x,
int32_t *px, int32_t *py, u_int16_t np); int32_t *px, int32_t *py, u_int16_t np);
...@@ -3367,7 +3369,7 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah, ...@@ -3367,7 +3369,7 @@ static int ar9300_eeprom_restore_internal(struct ath_hw *ah,
"Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n",
cptr, code, reference, length, major, minor); cptr, code, reference, length, major, minor);
if ((!AR_SREV_9485(ah) && length >= 1024) || if ((!AR_SREV_9485(ah) && length >= 1024) ||
(AR_SREV_9485(ah) && length >= (4 * 1024))) { (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) {
ath_dbg(common, ATH_DBG_EEPROM, ath_dbg(common, ATH_DBG_EEPROM,
"Skipping bad header\n"); "Skipping bad header\n");
cptr -= COMP_HDR_LEN; cptr -= COMP_HDR_LEN;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment