From 350a051244596eff40413bee70259db12bd4d4f6 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Tue, 15 Jan 2013 22:31:15 +0100 Subject: [PATCH] carl9170: fix out of bounds read __carlfw_find_desc didn't check whenever the area for a descriptor was within the file length. Also it could read beyond the file while looking for a said descriptor. Signed-off-by: Christian Lamparter --- tools/lib/carlfw.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tools/lib/carlfw.c b/tools/lib/carlfw.c index ce61afb..79a7467 100644 --- a/tools/lib/carlfw.c +++ b/tools/lib/carlfw.c @@ -186,10 +186,15 @@ static void *__carlfw_find_desc(struct carlfw_file *file, unsigned int len, uint8_t compatible_revision) { - int scan = file->len, found = 0; + int scan, found = 0; struct carl9170fw_desc_head *tmp = NULL; - while (scan >= 0) { + /* + * Note: the last desc also has atleast a full desc_head. + * There's no reason for looking beyond that point. + */ + scan = (file->len - 1) - (sizeof(*tmp) - CARL9170FW_MAGIC_SIZE); + while (scan > 0) { if (file->data[scan] == descid[CARL9170FW_MAGIC_SIZE - found - 1]) found++; else @@ -202,10 +207,13 @@ static void *__carlfw_find_desc(struct carlfw_file *file, } if (found == CARL9170FW_MAGIC_SIZE) { + u16 tmp_desc_len; + tmp = (void *) &file->data[scan]; + tmp_desc_len = le16_to_cpu(tmp->length); if (!CHECK_HDR_VERSION(tmp, compatible_revision) && - (le16_to_cpu(tmp->length) >= len)) + (scan + tmp_desc_len <= file->len) && (tmp_desc_len >= len)) return tmp; } -- 2.31.1