aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Albaugh <Michael.Albaugh@Qlogic.com>2007-10-18 13:36:40 -0400
committerRoland Dreier <rolandd@cisco.com>2007-10-30 13:58:53 -0400
commit627934448ec80f823eafd0a7d4b7541515d543a3 (patch)
treed29e64a2c7ac9d9b27d371911013c091a1b8f96f
parentfffbfeaa680e2b87a591e141f2aa7e9e91184956 (diff)
IB/ipath: Limit length checksummed in eeprom
The small eeprom that holds the GUID etc. contains a data-length, but if the actual eeprom is new or has been erased, that byte will be 0xFF, which is greater than the maximum physical length of the eeprom, and more importantly greater than the length of the buffer we vmalloc'd. Sanity-check the length to avoid the possbility of reading past end of buffer. Signed-off-by: Michael Albaugh <Michael.Albaugh@Qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/hw/ipath/ipath_eeprom.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/ipath/ipath_eeprom.c b/drivers/infiniband/hw/ipath/ipath_eeprom.c
index bcfa3ccb555..e7c25dbbcdc 100644
--- a/drivers/infiniband/hw/ipath/ipath_eeprom.c
+++ b/drivers/infiniband/hw/ipath/ipath_eeprom.c
@@ -538,7 +538,15 @@ static u8 flash_csum(struct ipath_flash *ifp, int adjust)
538 u8 *ip = (u8 *) ifp; 538 u8 *ip = (u8 *) ifp;
539 u8 csum = 0, len; 539 u8 csum = 0, len;
540 540
541 for (len = 0; len < ifp->if_length; len++) 541 /*
542 * Limit length checksummed to max length of actual data.
543 * Checksum of erased eeprom will still be bad, but we avoid
544 * reading past the end of the buffer we were passed.
545 */
546 len = ifp->if_length;
547 if (len > sizeof(struct ipath_flash))
548 len = sizeof(struct ipath_flash);
549 while (len--)
542 csum += *ip++; 550 csum += *ip++;
543 csum -= ifp->if_csum; 551 csum -= ifp->if_csum;
544 csum = ~csum; 552 csum = ~csum;