From 5428968f0f8fb5057e43ff7c716316f56b5b8876 Mon Sep 17 00:00:00 2001 From: Dimitry Andric Date: Sun, 2 Apr 2006 20:30:21 +0000 Subject: Prevent panic when loading pre-3.0 iwi firmware, and give a helpful error message instead. Also return EINVAL for some other error paths. ok damien, deraadt --- sys/dev/pci/if_iwi.c | 12 +++++++++++- sys/dev/pci/if_iwireg.h | 7 +++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/sys/dev/pci/if_iwi.c b/sys/dev/pci/if_iwi.c index 5c64069c7ab..5dc59ccc81a 100644 --- a/sys/dev/pci/if_iwi.c +++ b/sys/dev/pci/if_iwi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwi.c,v 1.65 2006/04/01 15:36:01 mickey Exp $ */ +/* $OpenBSD: if_iwi.c,v 1.66 2006/04/02 20:30:19 dim Exp $ */ /*- * Copyright (c) 2004-2006 @@ -2131,15 +2131,25 @@ iwi_init(struct ifnet *ifp) if (size < sizeof (struct iwi_firmware_hdr)) { printf("%s: firmware image too short: %zu bytes\n", sc->sc_dev.dv_xname, size); + error = EINVAL; goto fail2; } hdr = (struct iwi_firmware_hdr *)data; + if (hdr->vermaj < 3 || hdr->bootsz == 0 || hdr->ucodesz == 0 || + hdr->mainsz == 0) { + printf("%s: firmware image too old (need at least 3.0)\n", + sc->sc_dev.dv_xname); + error = EINVAL; + goto fail2; + } + if (size < sizeof (struct iwi_firmware_hdr) + letoh32(hdr->bootsz) + letoh32(hdr->ucodesz) + letoh32(hdr->mainsz)) { printf("%s: firmware image too short: %zu bytes\n", sc->sc_dev.dv_xname, size); + error = EINVAL; goto fail2; } diff --git a/sys/dev/pci/if_iwireg.h b/sys/dev/pci/if_iwireg.h index db1585d84f3..dd43adc399f 100644 --- a/sys/dev/pci/if_iwireg.h +++ b/sys/dev/pci/if_iwireg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_iwireg.h,v 1.23 2006/04/01 01:04:40 pedro Exp $ */ +/* $OpenBSD: if_iwireg.h,v 1.24 2006/04/02 20:30:20 dim Exp $ */ /*- * Copyright (c) 2004-2006 @@ -129,7 +129,10 @@ /* firmware binary image header */ struct iwi_firmware_hdr { - uint32_t version; + uint8_t oldvermaj; + uint8_t oldvermin; + uint8_t vermaj; + uint8_t vermin; uint32_t bootsz; uint32_t ucodesz; uint32_t mainsz; -- cgit v1.2.3