From 6131a2601f42cd7fdbac0e960713396fe68af59f Mon Sep 17 00:00:00 2001 From: Francois Romieu Date: Sun, 20 Apr 2008 19:32:34 +0200 Subject: tehuti: check register size Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik --- drivers/net/tehuti.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'drivers/net/tehuti.c') diff --git a/drivers/net/tehuti.c b/drivers/net/tehuti.c index 17585e5eed53..d2e1b219673d 100644 --- a/drivers/net/tehuti.c +++ b/drivers/net/tehuti.c @@ -625,6 +625,12 @@ static void __init bdx_firmware_endianess(void) s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]); } +static int bdx_range_check(struct bdx_priv *priv, u32 offset) +{ + return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ? + -EINVAL : 0; +} + static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) { struct bdx_priv *priv = ndev->priv; @@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) switch (data[0]) { case BDX_OP_READ: + error = bdx_range_check(priv, data[1]); + if (error < 0) + return error; data[2] = READ_REG(priv, data[1]); DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2], data[2]); @@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) break; case BDX_OP_WRITE: + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + error = bdx_range_check(priv, data[1]); + if (error < 0) + return error; WRITE_REG(priv, data[1], data[2]); DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]); break; -- cgit v1.2.1 From f946dffed6334f08da065a89ed65026ebf8b33b4 Mon Sep 17 00:00:00 2001 From: Jeff Garzik Date: Fri, 25 Apr 2008 03:11:31 -0400 Subject: [netdrvr] tehuti: move ioctl perm check closer to function start Noticed by davem. Signed-off-by: Jeff Garzik --- drivers/net/tehuti.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/net/tehuti.c') diff --git a/drivers/net/tehuti.c b/drivers/net/tehuti.c index d2e1b219673d..e83b166aa6b9 100644 --- a/drivers/net/tehuti.c +++ b/drivers/net/tehuti.c @@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]); } + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + switch (data[0]) { case BDX_OP_READ: @@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd) break; case BDX_OP_WRITE: - if (!capable(CAP_NET_ADMIN)) - return -EPERM; error = bdx_range_check(priv, data[1]); if (error < 0) return error; -- cgit v1.2.1