git: a4fcbac5d891 - main - rtlbtfw(8): Fix incorrect chunk index overwrap in rtlbt_load_fwfile()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Apr 2025 20:29:37 UTC
The branch main has been updated by wulf:
URL: https://cgit.FreeBSD.org/src/commit/?id=a4fcbac5d891e3909474ffe7ed7064972a1a7577
commit a4fcbac5d891e3909474ffe7ed7064972a1a7577
Author: Vladimir Kondratyev <wulf@FreeBSD.org>
AuthorDate: 2025-04-29 20:28:53 +0000
Commit: Vladimir Kondratyev <wulf@FreeBSD.org>
CommitDate: 2025-04-29 20:28:53 +0000
rtlbtfw(8): Fix incorrect chunk index overwrap in rtlbt_load_fwfile()
It prevented large (>256 chunks) firmwares from loading.
Fixes: 5036d9652a57 ("rtlbtfw: Firmware loader for Realtek 87XX/88XX")
Sponsored by: Future Crew, LLC
MFC after: 1 week
---
usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c b/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
index 493358294c07..21f2c3e2804f 100644
--- a/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
+++ b/usr.sbin/bluetooth/rtlbtfw/rtlbt_hw.c
@@ -189,19 +189,18 @@ rtlbt_load_fwfile(struct libusb_device_handle *hdl,
uint8_t *data = fw->buf;
int frag_num = fw->len / RTLBT_MAX_CMD_DATA_LEN + 1;
int frag_len = RTLBT_MAX_CMD_DATA_LEN;
- int i;
+ int i, j;
int ret, transferred;
- for (i = 0; i < frag_num; i++) {
+ for (i = 0, j = 0; i < frag_num; i++, j++) {
rtlbt_debug("download fw (%d/%d)", i + 1, frag_num);
memset(cmd_buf, 0, sizeof(cmd_buf));
cmd->opcode = htole16(0xfc20);
- if (i > 0x7f)
- dl_cmd->index = (i & 0x7f) + 1;
- else
- dl_cmd->index = i;
+ if (j > 0x7f)
+ j = 1;
+ dl_cmd->index = j;
if (i == (frag_num - 1)) {
dl_cmd->index |= 0x80; /* data end */