Commit 5a16a3d9 authored by Hayes Wang's avatar Hayes Wang Committed by Jakub Kicinski
Browse files

r8152: add checking fw_offset field of struct fw_mac 



Make sure @fw_offset field of struct fw_mac is more than the size
of struct fw_mac.

Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
parent a66edaaf

drivers/net/usb/r8152.c

+9 −3
Original line number Diff line number Diff line
@@ -3399,7 +3399,7 @@ static void rtl_clear_bp(struct r8152 *tp, u16 type) 


static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac)

{

	u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start;

	u16 fw_reg, bp_ba_addr, bp_en_addr, bp_start, fw_offset;

	bool rc = false;

	u32 length, type;

	int i, max_bp;
@@ -3461,13 +3461,19 @@ static bool rtl8152_is_fw_mac_ok(struct r8152 *tp, struct fw_mac *mac) 
		goto out;

	}



	fw_offset = __le16_to_cpu(mac->fw_offset);

	if (fw_offset < sizeof(*mac)) {

		dev_err(&tp->intf->dev, "fw_offset too small\n");

		goto out;

	}



	length = __le32_to_cpu(mac->blk_hdr.length);

	if (length < __le16_to_cpu(mac->fw_offset)) {

	if (length < fw_offset) {

		dev_err(&tp->intf->dev, "invalid fw_offset\n");

		goto out;

	}



	length -= __le16_to_cpu(mac->fw_offset);

	length -= fw_offset;

	if (length < 4 || (length & 3)) {

		dev_err(&tp->intf->dev, "invalid block length\n");

		goto out;

CRA Git | Maintained and supported by SUSTech CRA and CCSE