diff options
| author | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2008-03-04 20:20:58 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2008-03-04 20:20:58 -0800 |
| commit | 27d0483aa1ef66a8877d71b63bb97f46ab0246b2 (patch) | |
| tree | ca84a9db8c79b789d40d2d9ae30d0349fd3562fc /drivers/net/wireless/p54common.c | |
| parent | 665c1ef8369138dad7773da6407fe77ccff87deb (diff) | |
| parent | dea75bdfa57f75a7a7ec2961ec28db506c18e5db (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (22 commits)
[IPCONFIG]: The kernel gets no IP from some DHCP servers
b43legacy: Fix module init message
rndis_wlan: fix broken data copy
libertas: compare the current command with response
libertas: fix sanity check on sequence number in command response
p54: fix eeprom parser length sanity checks
p54: fix EEPROM structure endianness
ssb: Add pcibios_enable_device() return value check
rc80211-pid: fix rate adjustment
[ESP]: Add select on AUTHENC
[TCP]: Improve ipv4 established hash function.
[NETPOLL]: Revert two bogus cleanups that broke netconsole.
[PPPOL2TP]: Add missing sock_put() in pppol2tp_tunnel_closeall()
Subject: [PPPOL2TP] add missing sock_put() in pppol2tp_recv_dequeue()
[BLUETOOTH]: l2cap info_timer delete fix in hci_conn_del
[NET]: Fix race in generic address resolution.
iucv: fix build error on !SMP
[TCP]: Must count fack_count also when skipping
[TUN]: Fix RTNL-locking in tun/tap driver
[SCTP]: Use proc_create to setup de->proc_fops.
...
Diffstat (limited to 'drivers/net/wireless/p54common.c')
| -rw-r--r-- | drivers/net/wireless/p54common.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/drivers/net/wireless/p54common.c b/drivers/net/wireless/p54common.c index 5cda49aff3a..d191e055a78 100644 --- a/drivers/net/wireless/p54common.c +++ b/drivers/net/wireless/p54common.c @@ -166,18 +166,23 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) struct p54_common *priv = dev->priv; struct eeprom_pda_wrap *wrap = NULL; struct pda_entry *entry; - int i = 0; unsigned int data_len, entry_len; void *tmp; int err; + u8 *end = (u8 *)eeprom + len; wrap = (struct eeprom_pda_wrap *) eeprom; - entry = (void *)wrap->data + wrap->len; - i += 2; - i += le16_to_cpu(entry->len)*2; - while (i < len) { + entry = (void *)wrap->data + le16_to_cpu(wrap->len); + + /* verify that at least the entry length/code fits */ + while ((u8 *)entry <= end - sizeof(*entry)) { entry_len = le16_to_cpu(entry->len); data_len = ((entry_len - 1) << 1); + + /* abort if entry exceeds whole structure */ + if ((u8 *)entry + sizeof(*entry) + data_len > end) + break; + switch (le16_to_cpu(entry->code)) { case PDR_MAC_ADDRESS: SET_IEEE80211_PERM_ADDR(dev, entry->data); @@ -249,13 +254,12 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) priv->version = *(u8 *)(entry->data + 1); break; case PDR_END: - i = len; + /* make it overrun */ + entry_len = len; break; } entry = (void *)entry + (entry_len + 1)*2; - i += 2; - i += entry_len*2; } if (!priv->iq_autocal || !priv->output_limit || !priv->curve_data) { |