aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/firewire
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2008-05-31 13:36:06 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2008-06-18 18:12:34 -0400
commitccff962943df539c5860aa120eecc189d70a308b (patch)
tree645f031d3b751a30e20ce65e364948fb9426f7b2 /drivers/firewire
parent0bf607c5b4edd13362e4add6ca1e81f8a9fbd47c (diff)
firewire: fw-ohci: use of uninitialized data in AR handler
header_length and payload_length are filled with random data if an unknown tcode was read from the AR buffer (i.e. if the AR buffer contained invalid data). We still need a better strategy to recover from this, but at least handle_ar_packet now doesn't return out of bound buffer addresses anymore. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire')
-rw-r--r--drivers/firewire/fw-ohci.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/firewire/fw-ohci.c b/drivers/firewire/fw-ohci.c
index 4f02c55f13e..b062e736b78 100644
--- a/drivers/firewire/fw-ohci.c
+++ b/drivers/firewire/fw-ohci.c
@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer)
548 p.header_length = 12; 548 p.header_length = 12;
549 p.payload_length = 0; 549 p.payload_length = 0;
550 break; 550 break;
551
552 default:
553 /* FIXME: Stop context, discard everything, and restart? */
554 p.header_length = 0;
555 p.payload_length = 0;
551 } 556 }
552 557
553 p.payload = (void *) buffer + p.header_length; 558 p.payload = (void *) buffer + p.header_length;