[PATCH] staging: brcm80211: added firmware validation

Greg KH greg at kroah.com
Fri Dec 3 20:29:01 UTC 2010 

On Wed, Dec 01, 2010 at 09:38:31PM +0100, Roland Vossen wrote:
> Fix for https://bugzilla.kernel.org/show_bug.cgi?id=21872
> 
> New function wl_check_firmwares() checks validity of all firmware images
> loaded from user space.
> 
> Signed-off-by: Roland Vossen <rvossen at broadcom.com>
> Cc: stable <stable at kernel.org>
> ---
>  drivers/staging/brcm80211/sys/wl_mac80211.c     |   54 ++++++++++++++++++++++-
>  drivers/staging/brcm80211/sys/wl_ucode.h        |    4 ++
>  drivers/staging/brcm80211/sys/wl_ucode_loader.c |    4 ++
>  3 files changed, 60 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/staging/brcm80211/sys/wl_mac80211.c b/drivers/staging/brcm80211/sys/wl_mac80211.c
> index 364b349..d41212b 100644
> --- a/drivers/staging/brcm80211/sys/wl_mac80211.c
> +++ b/drivers/staging/brcm80211/sys/wl_mac80211.c
> @@ -1776,8 +1776,7 @@ static int wl_request_fw(struct wl_info *wl, struct pci_dev *pdev)
>  			 wl->fw.hdr_num_entries[i]));
>  	}
>  	wl->fw.fw_cnt = i;
> -	wl_ucode_data_init(wl);
> -	return 0;
> +	return wl_ucode_data_init(wl);
>  }
>  
>  void wl_ucode_free_buf(void *p)
> @@ -1793,3 +1792,54 @@ static void wl_release_fw(struct wl_info *wl)
>  		release_firmware(wl->fw.fw_hdr[i]);
>  	}
>  }
> +
> +
> +/*
> + * checks validity of all firmware images loaded from user space
> + */
> +int wl_check_firmwares(struct wl_info *wl)
> +{
> +	int i;
> +	int entry;
> +	int rc = 0;
> +	const struct firmware *fw;
> +	const struct firmware *fw_hdr;
> +	struct wl_fw_hdr *ucode_hdr;
> +	for (i = 0; i < WL_MAX_FW && rc == 0; i++) {
> +		fw =  wl->fw.fw_bin[i];
> +		fw_hdr = wl->fw.fw_hdr[i];
> +		if (fw == NULL && fw_hdr == NULL) {
> +			break;
> +		} else if (fw == NULL || fw_hdr == NULL) {
> +			WL_ERROR(("%s: invalid bin/hdr fw\n", __func__));
> +			rc = -EBADF;
> +		} else if (fw_hdr->size % sizeof(struct wl_fw_hdr)) {
> +			WL_ERROR(("%s: non integral fw hdr file size %d/%d\n",
> +				  __func__, fw_hdr->size,
> +				  sizeof(struct wl_fw_hdr)));
> +			rc = -EBADF;
> +		} else if (fw->size < MIN_FW_SIZE || fw->size > MAX_FW_SIZE) {
> +			WL_ERROR(("%s: out of bounds fw file size %d\n",
> +				  __func__, fw->size));
> +			rc = -EBADF;
> +		} else {
> +			/* check if ucode section overruns firmware image */
> +			ucode_hdr = (struct wl_fw_hdr *)fw_hdr->data;
> +			for (entry = 0; entry < wl->fw.hdr_num_entries[i] && rc;
> +			     entry++, ucode_hdr++) {
> +				if (ucode_hdr->offset + ucode_hdr->len >
> +				    fw->size) {
> +					WL_ERROR(("%s: conflicting bin/hdr\n",
> +						  __func__));
> +					rc = -EBADF;
> +				}
> +			}
> +		}
> +	}
> +	if (rc == 0 && wl->fw.fw_cnt != i) {
> +		WL_ERROR(("%s: invalid fw_cnt=%d\n", __func__, wl->fw.fw_cnt));
> +		rc = -EBADF;
> +	}
> +	return rc;
> +}

I've applied this, but now this function generates 3 new build warnings:

  CC [M]  drivers/staging/brcm80211/sys/wl_mac80211.o
drivers/staging/brcm80211/sys/wl_mac80211.c: In function ‘wl_check_firmwares’:
drivers/staging/brcm80211/sys/wl_mac80211.c:1817:4: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘size_t’
drivers/staging/brcm80211/sys/wl_mac80211.c:1817:4: warning: format ‘%d’ expects type ‘int’, but argument 4 has type ‘long unsigned int’
drivers/staging/brcm80211/sys/wl_mac80211.c:1822:4: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘size_t’


Please test this stuff before sending it to me :(

And please send a follow-up patch that fixes the warnings.

thanks,

greg k-h

More information about the devel mailing list