One more thing I noticed while reading the code - and from what I can tell it has been like this forever - there's no input validation at all.
The code uses pointer+48 - but nothing has checked that there are (more than, or even) 48 bytes ... or for that matter, that the uh-> header is even there (the firmware load routines will have just returned whatever was in the file). I guess the assumption is that this is a root only facility (I hope!) and root won't give it a file to load that isn't the correct file, but it still seems wrong do do no validity checking at all. kre
