headers
Larry Finger | 10 Feb 01:19
Favicon

[PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer

From: Tim Gardner <tim.gardner <at> canonical.com>

Define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE which represents the
maximimum possible firmware file size. Use it in the definition
of the buffer which receives the firmware file data.

Set RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE closer to the actual size of
the firmware file, e.g., 90000 (down from hard coded 164000). The current
size of rtlwifi/rtl8192sefw.bin is 88856.

Set max_fw_size to RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE for the size limit
check. Fix the error case where max_fw_size is not cleared if the size
limit check fails.

Cc: Chaoming Li <chaoming_li <at> realsil.com.cn>
Cc: linux-wireless <at> vger.kernel.org
Cc: netdev <at> vger.kernel.org
Cc: linux-kernel <at> vger.kernel.org
Signed-off-by: Tim Gardner <tim.gardner <at> canonical.com>
Signed-off-by: Larry Finger <Larry.Finger <at> lwfinger.net>
---
 drivers/net/wireless/rtlwifi/rtl8192se/fw.h |    3 ++-
 drivers/net/wireless/rtlwifi/rtl8192se/sw.c |    3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
index babe85d..b4afff6 100644
--- a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
+++ b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
@@ -30,6 +30,7 @@
(Continue reading)

Permalink | Reply |
headers
John W. Linville | 15 Feb 19:55
Favicon

Re: [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer

Is this a fix that should go to 3.3?

On Thu, Feb 09, 2012 at 06:19:52PM -0600, Larry Finger wrote:
> From: Tim Gardner <tim.gardner@...>
> 
> Define RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE which represents the
> maximimum possible firmware file size. Use it in the definition
> of the buffer which receives the firmware file data.
> 
> Set RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE closer to the actual size of
> the firmware file, e.g., 90000 (down from hard coded 164000). The current
> size of rtlwifi/rtl8192sefw.bin is 88856.
> 
> Set max_fw_size to RTL8190_MAX_RAW_FIRMWARE_CODE_SIZE for the size limit
> check. Fix the error case where max_fw_size is not cleared if the size
> limit check fails.
> 
> Cc: Chaoming Li <chaoming_li@...>
> Cc: linux-wireless@...
> Cc: netdev@...
> Cc: linux-kernel@...
> Signed-off-by: Tim Gardner <tim.gardner@...>
> Signed-off-by: Larry Finger <Larry.Finger@...>
> ---
>  drivers/net/wireless/rtlwifi/rtl8192se/fw.h |    3 ++-
>  drivers/net/wireless/rtlwifi/rtl8192se/sw.c |    3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/rtlwifi/rtl8192se/fw.h b/drivers/net/wireless/rtlwifi/rtl8192se/fw.h
> index babe85d..b4afff6 100644
(Continue reading)

Permalink | Reply |
headers
Larry Finger | 15 Feb 20:14
Favicon

Re: [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer

On 02/15/2012 12:55 PM, John W. Linville wrote:
> Is this a fix that should go to 3.3?

That code has been in the driver since 3.0 and it should probably be packported. 
On the other hand, Tim's report is the first one. My suggestion is that it go 
into 3.4.

In addition, I am working on a fix that will completely eliminate all this fixed 
storage.

Larry
Permalink | Reply |
headers
Tim Gardner | 15 Feb 20:34
Picon

Re: [PATCH v3] rtlwifi: rtl8192se firmware load can overflow target buffer

On 02/15/2012 12:14 PM, Larry Finger wrote:
> On 02/15/2012 12:55 PM, John W. Linville wrote:
>> Is this a fix that should go to 3.3?
>
> That code has been in the driver since 3.0 and it should probably be
> packported. On the other hand, Tim's report is the first one. My
> suggestion is that it go into 3.4.
>
> In addition, I am working on a fix that will completely eliminate all
> this fixed storage.
>
> Larry
>
>

I'm fine with it being 3.4 material. The patch addresses an unlikely 
scenario.

rtg
--

-- 
Tim Gardner tim.gardner <at> canonical.com
Permalink | Reply |

Gmane