aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKristian Høgsberg <krh@redhat.com>2007-03-28 14:46:23 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2007-03-28 15:30:16 -0400
commitef370ee74b7a9cb769d50bfb73b4023ee3e37719 (patch)
treef5e2c9e3a05930a303f963e517ec6cbd8cdef690
parentc5dfd0a5b09bf20adf26b3242258679e305c39c8 (diff)
firewire: Fix the range check for the queue_iso payload pointer.
Signed-off-by: Kristian Høgsberg <krh@redhat.com> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (renamed a variable)
-rw-r--r--drivers/firewire/fw-device-cdev.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c
index d02dbc5af91e..fab6dfbcca1b 100644
--- a/drivers/firewire/fw-device-cdev.c
+++ b/drivers/firewire/fw-device-cdev.c
@@ -711,7 +711,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
711 struct fw_cdev_queue_iso request; 711 struct fw_cdev_queue_iso request;
712 struct fw_cdev_iso_packet __user *p, *end, *next; 712 struct fw_cdev_iso_packet __user *p, *end, *next;
713 struct fw_iso_context *ctx = client->iso_context; 713 struct fw_iso_context *ctx = client->iso_context;
714 unsigned long payload, payload_end, header_length; 714 unsigned long payload, buffer_end, header_length;
715 int count; 715 int count;
716 struct { 716 struct {
717 struct fw_iso_packet packet; 717 struct fw_iso_packet packet;
@@ -732,11 +732,11 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
732 * and the request.data pointer is ignored.*/ 732 * and the request.data pointer is ignored.*/
733 733
734 payload = (unsigned long)request.data - client->vm_start; 734 payload = (unsigned long)request.data - client->vm_start;
735 payload_end = payload + (client->buffer.page_count << PAGE_SHIFT); 735 buffer_end = client->buffer.page_count << PAGE_SHIFT;
736 if (request.data == 0 || client->buffer.pages == NULL || 736 if (request.data == 0 || client->buffer.pages == NULL ||
737 payload >= payload_end) { 737 payload >= buffer_end) {
738 payload = 0; 738 payload = 0;
739 payload_end = 0; 739 buffer_end = 0;
740 } 740 }
741 741
742 if (!access_ok(VERIFY_READ, request.packets, request.size)) 742 if (!access_ok(VERIFY_READ, request.packets, request.size))
@@ -773,7 +773,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
773 if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT && 773 if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT &&
774 u.packet.header_length + u.packet.payload_length > 0) 774 u.packet.header_length + u.packet.payload_length > 0)
775 return -EINVAL; 775 return -EINVAL;
776 if (payload + u.packet.payload_length > payload_end) 776 if (payload + u.packet.payload_length > buffer_end)
777 return -EINVAL; 777 return -EINVAL;
778 778
779 if (fw_iso_context_queue(ctx, &u.packet, 779 if (fw_iso_context_queue(ctx, &u.packet,