From 2c5270ac807e46889fb08c3cf3c65902d0c35bb2 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 1 Mar 2013 23:28:06 +0300 Subject: [PATCH] Staging: bcm: potential forever loop verifying firmware There is an ioctl() to write data to the firmware. After the data is written, it reads the databack from the firmware and compares against what the user wanted to write and prints an error message if it doesn't match. The problem is that verify process has a forever loop if the firmware size is not a multiple of 4. I've fixed it by replacing the bcm compare function with memcmp(). I have chopped out some debugging code in the process. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/bcm/InterfaceDld.c | 32 +++++------------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/drivers/staging/bcm/InterfaceDld.c b/drivers/staging/bcm/InterfaceDld.c index 64ea6edb9dc2..348ad75b340d 100644 --- a/drivers/staging/bcm/InterfaceDld.c +++ b/drivers/staging/bcm/InterfaceDld.c @@ -205,30 +205,6 @@ static int bcm_download_config_file(struct bcm_mini_adapter *Adapter, struct bcm return retval; } -static int bcm_compare_buff_contents(unsigned char *readbackbuff, unsigned char *buff, unsigned int len) -{ - int retval = STATUS_SUCCESS; - struct bcm_mini_adapter *Adapter = GET_BCM_ADAPTER(gblpnetdev); - if ((len-sizeof(unsigned int)) < 4) { - if (memcmp(readbackbuff , buff, len)) - retval = -EINVAL; - } else { - len -= 4; - - while (len) { - if (*(unsigned int *)&readbackbuff[len] != *(unsigned int *)&buff[len]) { - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "Firmware Download is not proper"); - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "Val from Binary %x, Val From Read Back %x ", *(unsigned int *)&buff[len], *(unsigned int*)&readbackbuff[len]); - BCM_DEBUG_PRINT(Adapter, DBG_TYPE_INITEXIT, MP_INIT, DBG_LVL_ALL, "len =%x!!!", len); - retval = -EINVAL; - break; - } - len -= 4; - } - } - return retval; -} - int bcm_ioctl_fw_download(struct bcm_mini_adapter *Adapter, struct bcm_firmware_info *psFwInfo) { int retval = STATUS_SUCCESS; @@ -321,9 +297,11 @@ static INT buffRdbkVerify(struct bcm_mini_adapter *Adapter, PUCHAR mappedbuffer, break; } - retval = bcm_compare_buff_contents(readbackbuff, mappedbuffer, len); - if (STATUS_SUCCESS != retval) - break; + if (memcmp(readbackbuff, mappedbuffer, len) != 0) { + pr_err("%s() failed. The firmware doesn't match what was written", + __func__); + retval = -EIO; + } u32StartingAddress += len; u32FirmwareLength -= len; -- 2.34.1