diff options
| author | Jason Wright <jason@cvs.openbsd.org> | 2001-04-08 05:40:24 +0000 |
|---|---|---|
| committer | Jason Wright <jason@cvs.openbsd.org> | 2001-04-08 05:40:24 +0000 |
| commit | 5dca8eda4aa1289a6118acde2a3d2afcfbab5248 (patch) | |
| tree | c148e769e8f5499a527400cac398dedeb85f40a6 | |
| parent | b5f6d7134ce72172ccd66b31c6755fa4815e64f0 (diff) | |
make sure that we don't go off the end of the image
| -rw-r--r-- | sys/dev/pci/if_txp.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/sys/dev/pci/if_txp.c b/sys/dev/pci/if_txp.c index b454e5ffcff..682785d7634 100644 --- a/sys/dev/pci/if_txp.c +++ b/sys/dev/pci/if_txp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_txp.c,v 1.2 2001/04/08 05:28:49 jason Exp $ */ +/* $OpenBSD: if_txp.c,v 1.3 2001/04/08 05:40:23 jason Exp $ */ /* * Copyright (c) 2001 @@ -387,6 +387,20 @@ txp_download_fw_section(sc, sect, sectnum) if (sect->nbytes == 0) return (0); + /* Make sure we aren't past the end of the image */ + rseg = ((u_int8_t *)sect) - ((u_int8_t *)TyphoonImage); + if (rseg >= sizeof(TyphoonImage)) { + printf(": fw invalid section address, section %d\n", sectnum); + return (-1); + } + + /* Make sure this section doesn't go past the end */ + rseg += sect->nbytes; + if (rseg >= sizeof(TyphoonImage)) { + printf(": fw truncated section %d\n", sectnum); + return (-1); + } + /* map a buffer, copy segment to it, get physaddr */ if (bus_dmamem_alloc(dmat, sect->nbytes, PAGE_SIZE, 0, &seg, 1, &rseg, BUS_DMA_NOWAIT)) { |