From 8d7802ed3c617120863f84346638d1cf1c96137b Mon Sep 17 00:00:00 2001
From: matthieu castet <castet.matthieu@free.fr>
Date: Tue, 8 Nov 2005 00:02:30 +0100
Subject: [PATCH] [PATCH] USB: Eagle and ADI 930 usb adsl modem driver fix

More care on loading firmware, take into account fw->size can't be zero.

Signed-off-by: Matthieu CASTET <castet.matthieu@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/usb/atm/ueagle-atm.c | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
index 3e2475c666a..be08e16df09 100644
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -426,14 +426,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
 
 	pfw = fw_entry->data;
 	size = fw_entry->size;
+	if (size < 4)
+		goto err_fw_corrupted;
 
 	crc = FW_GET_LONG(pfw);
 	pfw += 4;
 	size -= 4;
-	if (crc32_be(0, pfw, size) != crc) {
-		uea_err(usb, "firmware is corrupted\n");
-		goto err;
-	}
+	if (crc32_be(0, pfw, size) != crc)
+		goto err_fw_corrupted;
 
 	/*
 	 * Start to upload formware : send reset
@@ -446,9 +446,14 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
 		goto err;
 	}
 
-	while (size > 0) {
+	while (size > 3) {
 		u8 len = FW_GET_BYTE(pfw);
 		u16 add = FW_GET_WORD(pfw + 1);
+
+		size -= len + 3;
+		if (size < 0)
+			goto err_fw_corrupted;
+
 		ret = uea_send_modem_cmd(usb, add, len, pfw + 3);
 		if (ret < 0) {
 			uea_err(usb, "uploading firmware data failed "
@@ -456,9 +461,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
 			goto err;
 		}
 		pfw += len + 3;
-		size -= len + 3;
 	}
 
+	if (size != 0)
+		goto err_fw_corrupted;
+
 	/*
 	 * Tell the modem we finish : de-assert reset
 	 */
@@ -469,6 +476,11 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry, void *conte
 	else
 		uea_info(usb, "firmware uploaded\n");
 
+	uea_leaves(usb);
+	return;
+
+err_fw_corrupted:
+	uea_err(usb, "firmware is corrupted\n");
 err:
 	uea_leaves(usb);
 }
@@ -522,10 +534,6 @@ static int check_dsp(u8 *dsp, unsigned int len)
 	u32 pageoffset;
 	unsigned int i, j, p, pp;
 
-	/* enough space for pagecount? */
-	if (len < 1)
-		return 1;
-
 	pagecount = FW_GET_BYTE(dsp);
 	p = 1;
 
-- 
2.41.0