__carlfw_find_desc didn't check whenever the area for
a descriptor was within the file length. Also it could
read beyond the file while looking for a said descriptor.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
unsigned int len,
uint8_t compatible_revision)
{
unsigned int len,
uint8_t compatible_revision)
{
- int scan = file->len, found = 0;
struct carl9170fw_desc_head *tmp = NULL;
struct carl9170fw_desc_head *tmp = NULL;
+ /*
+ * Note: the last desc also has atleast a full desc_head.
+ * There's no reason for looking beyond that point.
+ */
+ scan = (file->len - 1) - (sizeof(*tmp) - CARL9170FW_MAGIC_SIZE);
+ while (scan > 0) {
if (file->data[scan] == descid[CARL9170FW_MAGIC_SIZE - found - 1])
found++;
else
if (file->data[scan] == descid[CARL9170FW_MAGIC_SIZE - found - 1])
found++;
else
}
if (found == CARL9170FW_MAGIC_SIZE) {
}
if (found == CARL9170FW_MAGIC_SIZE) {
tmp = (void *) &file->data[scan];
tmp = (void *) &file->data[scan];
+ tmp_desc_len = le16_to_cpu(tmp->length);
if (!CHECK_HDR_VERSION(tmp, compatible_revision) &&
if (!CHECK_HDR_VERSION(tmp, compatible_revision) &&
- (le16_to_cpu(tmp->length) >= len))
+ (scan + tmp_desc_len <= file->len) && (tmp_desc_len >= len))