| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1259871433.2780.42.camel@achroite.uk.solarflarecom.com>
Date: Thu, 03 Dec 2009 20:17:13 +0000
From: Ben Hutchings <bhutchings@...arflare.com>
To: Michael Chan <mchan@...adcom.com>
Cc: davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH 4/5] bnx2: Read firmware version from VPD.
On Thu, 2009-12-03 at 11:46 -0800, Michael Chan wrote:
> And display it through ethtool -i.
>
> Signed-off-by: Michael Chan <mchan@...adcom.com>
> ---
> drivers/net/bnx2.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++--
> 1 files changed, 99 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c
> index dba3840..b7bc74b 100644
> --- a/drivers/net/bnx2.c
> +++ b/drivers/net/bnx2.c
> @@ -7722,6 +7722,93 @@ bnx2_get_pci_speed(struct bnx2 *bp)
>
> }
>
> +static void __devinit
> +bnx2_read_vpd_fw_ver(struct bnx2 *bp)
> +{
> + int rc, i, v0_len = 0;
> + u8 *data;
> + u8 *v0_str = NULL;
> + bool mn_match = false;
> +
> +#define BNX2_MAX_VER_SLEN 30
And how about:
#define BNX2_VPD_LEN 128
and then using that instead of all the magic numbers below...
> + data = kmalloc(256, GFP_KERNEL);
> + if (!data)
> + return;
> +
> + rc = bnx2_nvram_read(bp, 0x300, data + 128, 128);
> + if (rc)
> + goto vpd_done;
> +
> + for (i = 0; i < 128; i += 4) {
> + data[i] = data[i + 131];
> + data[i + 1] = data[i + 130];
> + data[i + 2] = data[i + 129];
> + data[i + 3] = data[i + 128];
> + }
Is this correct for both big-endian and little-endian architectures?
> + for (i = 0; i < 128; ) {
Allowing for the size of a long tag, that should be:
for (i = 0; i <= BNX2_VPD_LEN - 3; ) {
> + unsigned char val = data[i];
> + unsigned int block_end;
> +
> + if (val == 0x82 || val == 0x91) {
> + i = (i + 3 + (data[i + 1] + (data[i + 2] << 8)));
> + continue;
> + }
> +
> + if (val != 0x90)
> + goto vpd_done;
> +
> + block_end = (i + 3 + (data[i + 1] + (data[i + 2] << 8)));
Perhaps these VPD tag values should go in pci_regs.h. And there's
really no need to repeat the length calculation.
> + i += 3;
> +
> + if (block_end > 128)
> + goto vpd_done;
> +
> + while (i < (block_end - 2)) {
> + if (data[i] == 'M' && data[i + 1] == 'N') {
> + int mn_len = data[i + 2];
> +
> + if (mn_len != 4)
> + goto vpd_done;
> +
> + i += 3;
> + if (memcmp(&data[i], "1028", 4))
> + goto vpd_done;
> + mn_match = true;
> + i += 4;
> +
> + } else if (data[i] == 'V' && data[i + 1] == '0') {
> + v0_len = data[i + 2];
> +
> + i += 3;
> + if (v0_len > BNX2_MAX_VER_SLEN ||
> + (v0_len + i) > 128)
> + goto vpd_done;
> +
> + if (v0_len > BNX2_MAX_VER_SLEN)
> + v0_len = BNX2_MAX_VER_SLEN;
> +
> + v0_str = &data[i];
> + i += data[i + 2];
This last statement is reading the length from the wrong byte since i
has already been updated.
> + } else {
> + i += 3 + data[i + 2];
> + }
[...]
It would make more sense to read and validate length just once:
while (i < (block_end - 2)) {
int len = data[i + 2];
if (i + 3 + len > block_end)
goto vpd_done;
if (data[i] == 'M' && data[i + 1] == 'N') {
if (len != 4 ||
memcmp(&data[i + 3], "1028", 4))
goto vpd_done;
mn_match = true;
} else if (data[i] == 'V' && data[i + 1] == '0') {
if (len > BNX2_MAX_VER_SLEN)
goto vpd_done;
v0_str = &data[i + 3];
v0_len = len;
}
i += 3 + len;
...
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists