Prevent panic when loading pre-3.0 iwi firmware, and give a helpful

error message instead. Also return EINVAL for some other error paths.

ok damien, deraadt

2 files changed, 16 insertions, 3 deletions

diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c
index 5c64069c7ab..5dc59ccc81a 100644
--- a/sys/dev/pci/if_iwi.c
+++ b/sys/dev/pci/if_iwi.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwi.c,v 1.65 2006/04/01 15:36:01 mickey Exp $	*/
+/*	$OpenBSD: if_iwi.c,v 1.66 2006/04/02 20:30:19 dim Exp $	*/
 
 /*-
  * Copyright (c) 2004-2006
@@ -2131,15 +2131,25 @@ iwi_init(struct ifnet *ifp)
 	if (size < sizeof (struct iwi_firmware_hdr)) {
 		printf("%s: firmware image too short: %zu bytes\n",
 		    sc->sc_dev.dv_xname, size);
+		error = EINVAL;
 		goto fail2;
 	}
 
 	hdr = (struct iwi_firmware_hdr *)data;
 
+	if (hdr->vermaj < 3 || hdr->bootsz == 0 || hdr->ucodesz == 0 ||
+	    hdr->mainsz == 0) {
+		printf("%s: firmware image too old (need at least 3.0)\n",
+		    sc->sc_dev.dv_xname);
+		error = EINVAL;
+		goto fail2;
+	}
+
 	if (size < sizeof (struct iwi_firmware_hdr) + letoh32(hdr->bootsz) +
 	    letoh32(hdr->ucodesz) + letoh32(hdr->mainsz)) {
 		printf("%s: firmware image too short: %zu bytes\n",
 		    sc->sc_dev.dv_xname, size);
+		error = EINVAL;
 		goto fail2;
 	}
 
diff --git a/sys/dev/pci/if_iwireg.h b/sys/dev/pci/if_iwireg.h
index db1585d84f3..dd43adc399f 100644
--- a/sys/dev/pci/if_iwireg.h
+++ b/sys/dev/pci/if_iwireg.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iwireg.h,v 1.23 2006/04/01 01:04:40 pedro Exp $	*/
+/*	$OpenBSD: if_iwireg.h,v 1.24 2006/04/02 20:30:20 dim Exp $	*/
 
 /*-
  * Copyright (c) 2004-2006
@@ -129,7 +129,10 @@
 
 /* firmware binary image header */
 struct iwi_firmware_hdr {
-	uint32_t	version;
+	uint8_t		oldvermaj;
+	uint8_t		oldvermin;
+	uint8_t		vermaj;
+	uint8_t		vermin;
 	uint32_t	bootsz;
 	uint32_t	ucodesz;
 	uint32_t	mainsz;