From patchwork Mon Nov 23 19:58:06 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Buesch <mb@bu3sch.de>
X-Patchwork-Id: 62274
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id nANK06O8030935
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 23 Nov 2009 20:00:06 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753758AbZKWT77 (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Mon, 23 Nov 2009 14:59:59 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752955AbZKWT77
	(ORCPT <rfc822;linux-wireless-outgoing>);
	Mon, 23 Nov 2009 14:59:59 -0500
Received: from bu3sch.de ([62.75.166.246]:47736 "EHLO vs166246.vserver.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752758AbZKWT76 (ORCPT <rfc822; linux-wireless@vger.kernel.org>);
	Mon, 23 Nov 2009 14:59:58 -0500
Received: by vs166246.vserver.de with esmtpa (Exim 4.69)
	id 1NCf4s-00045m-I1; Mon, 23 Nov 2009 20:00:02 +0000
From: Michael Buesch <mb@bu3sch.de>
To: "John W. Linville" <linville@tuxdriver.com>
Subject: [PATCH] ssb: Fix range check in sprom write
Date: Mon, 23 Nov 2009 20:58:06 +0100
User-Agent: KMail/1.9.9
Cc: bcm43xx-dev@lists.berlios.de,
	"linux-wireless" <linux-wireless@vger.kernel.org>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200911232058.06369.mb@bu3sch.de>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org


Index: wireless-testing/drivers/ssb/sprom.c
===================================================================
--- wireless-testing.orig/drivers/ssb/sprom.c	2009-11-23 14:24:57.000000000 +0100
+++ wireless-testing/drivers/ssb/sprom.c	2009-11-23 20:43:04.000000000 +0100
@@ -13,6 +13,8 @@
 
 #include "ssb_private.h"
 
+#include <linux/ctype.h>
+
 
 static const struct ssb_sprom *fallback_sprom;
 
@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, c
 static int hex2sprom(u16 *sprom, const char *dump, size_t len,
 		     size_t sprom_size_words)
 {
-	char tmp[5] = { 0 };
-	int cnt = 0;
+	char c, tmp[5] = { 0 };
+	int err, cnt = 0;
 	unsigned long parsed;
 
-	if (len < sprom_size_words * 2)
+	/* Strip whitespace at the end. */
+	while (len) {
+		c = dump[len - 1];
+		if (!isspace(c) && c != '\0')
+			break;
+		len--;
+	}
+	/* Length must match exactly. */
+	if (len != sprom_size_words * 4)
 		return -EINVAL;
 
 	while (cnt < sprom_size_words) {
 		memcpy(tmp, dump, 4);
 		dump += 4;
-		parsed = simple_strtoul(tmp, NULL, 16);
+		err = strict_strtoul(tmp, 16, &parsed);
+		if (err)
+			return err;
 		sprom[cnt++] = swab16((u16)parsed);
 	}