1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
--- a/drivers/net/wireless/ath/carl9170/fw.c
+++ b/drivers/net/wireless/ath/carl9170/fw.c
@@ -39,7 +39,7 @@ const void *ar9170_fw_find_desc(struct a
for_each_hdr(iter, ar->fw_desc) {
if (!memcmp(iter->magic, descid, sizeof(*descid)) &&
!CHECK_HDR_VERSION(iter, compatible_revision) &&
- (iter->length >= len)) {
+ (le16_to_cpu(iter->length) >= len)) {
ret = (void *)iter;
break;
}
@@ -63,20 +63,22 @@ static int ar9170_fw_verify_descs(struct
end = (void *) head + max_len;
while (pos < end) {
- if (((unsigned long)pos + pos->length) > (unsigned long)end)
+ int pos_length = le16_to_cpu(pos->length);
+
+ if (((unsigned long)pos + pos_length) > (unsigned long)end)
return -EMSGSIZE;
- if (pos->length > max_len)
+ if (pos_length > max_len)
return -EMSGSIZE;
- if (pos->length < sizeof(struct carl9170_fw_desc_head))
+ if (pos_length < sizeof(struct carl9170_fw_desc_head))
return -EINVAL;
if (!memcmp(pos->magic, last_magic, sizeof(last_magic)))
return 0;
- pos = (void *)((unsigned long)pos + pos->length);
- max_len -= pos->length;
+ pos = (void *)((unsigned long)pos + pos_length);
+ max_len -= le16_to_cpu(pos->length);
}
return -EINVAL;
@@ -139,7 +141,7 @@ static int ar9170_fw_check(struct ar9170
if (SUPP(CARL9170_FW_CRC32_CHECKSUM_TAIL)) {
__le32 crc32;
- crc32 = crc32_le(~0, data, len - 4);
+ crc32 = cpu_to_le32(crc32_le(~0, data, len - 4));
if (!memcmp(&crc32, &data[len - 4], 4) == 0) {
dev_err(ar->pdev, "CRC32 checksum mismatch!\n");
return -EINVAL;
--- a/drivers/net/wireless/ath/carl9170/fwhdr.h
+++ b/drivers/net/wireless/ath/carl9170/fwhdr.h
@@ -196,7 +196,7 @@ struct carl9170_fw_last_desc_v1 {
#define for_each_hdr(desc, fw_desc) \
for (desc = fw_desc; \
(memcmp(desc->magic, LAST_MAGIC, 4) && desc->length); \
- desc = (void *)((unsigned long)desc + desc->length))
+ desc = (void *)((unsigned long)desc + le16_to_cpu(desc->length)))
#define CHECK_HDR_VERSION(head, _min_ver) \
(((head)->cur_ver < _min_ver) || ((head)->min_ver > _min_ver)) \
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -640,9 +640,10 @@ static int ar9170_usb_check_firmware(str
}
if ((usb_desc->tx_descs < 16) ||
- (usb_desc->tx_frag_len < 64) || (usb_desc->tx_frag_len > 512) ||
- (usb_desc->rx_max_frame_len < 1024) ||
- (usb_desc->rx_max_frame_len > AR9170_MAX_RX_BUFFER_SIZE)) {
+ (le16_to_cpu(usb_desc->tx_frag_len) < 64) ||
+ (le16_to_cpu(usb_desc->tx_frag_len) > 512) ||
+ (le16_to_cpu(usb_desc->rx_max_frame_len) < 1024) ||
+ (le16_to_cpu(usb_desc->rx_max_frame_len) > AR9170_MAX_RX_BUFFER_SIZE)) {
dev_err(&aru->udev->dev, "usb firmware has obvious signs of "
"malicious tampering.\n");
err = -EINVAL;
@@ -650,14 +651,14 @@ static int ar9170_usb_check_firmware(str
}
if (SUPP(CARL9170_FW_USB_MINIBOOT))
- aru->fw_offset = usb_desc->miniboot_size;
+ aru->fw_offset = le16_to_cpu(usb_desc->miniboot_size);
else
aru->fw_offset = 0;
- aru->rx_size = usb_desc->rx_max_frame_len;
+ aru->rx_size = le16_to_cpu(usb_desc->rx_max_frame_len);
aru->common.mem_blocks = usb_desc->tx_descs;
atomic_set(&aru->common.mem_free_blocks, usb_desc->tx_descs);
- aru->common.mem_block_size = usb_desc->tx_frag_len;
+ aru->common.mem_block_size = le16_to_cpu(usb_desc->tx_frag_len);
return 0;
fail:
|