ath9k_hw: Fix bug in eeprom data length validation for AR9485

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The size of the eeprom data is 1088 bytes for AR9485. But
a sanity check is done against 4K which would result in a
'potential read past the end of the buffer' smatch complaint.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by

Vasanthakumar Thiagarajan and committed by

John W. Linville 15 years ago d0ce2d17 0207c0c5

+3 -1

1 changed file

expand all

drivers

net

wireless

ath

ath9k

ar9003_eeprom.c

+3 -1

drivers/net/wireless/ath/ath9k/ar9003_eeprom.c

··· 59 59 60 60 #define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6)) 61 61 62 + #define EEPROM_DATA_LEN_9485 1088 63 + 62 64 static int ar9003_hw_power_interpolate(int32_t x, 63 65 int32_t *px, int32_t *py, u_int16_t np); 64 66 ··· 3369 3367 "Found block at %x: code=%d ref=%d length=%d major=%d minor=%d\n", 3370 3368 cptr, code, reference, length, major, minor); 3371 3369 if ((!AR_SREV_9485(ah) && length >= 1024) || 3372 - (AR_SREV_9485(ah) && length >= (4 * 1024))) { 3370 + (AR_SREV_9485(ah) && length > EEPROM_DATA_LEN_9485)) { 3373 3371 ath_dbg(common, ATH_DBG_EEPROM, 3374 3372 "Skipping bad header\n"); 3375 3373 cptr -= COMP_HDR_LEN;