diff options
author | Kristian Høgsberg <krh@redhat.com> | 2007-03-28 14:46:23 -0400 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-03-28 15:30:16 -0400 |
commit | ef370ee74b7a9cb769d50bfb73b4023ee3e37719 (patch) | |
tree | f5e2c9e3a05930a303f963e517ec6cbd8cdef690 | |
parent | c5dfd0a5b09bf20adf26b3242258679e305c39c8 (diff) |
firewire: Fix the range check for the queue_iso payload pointer.
Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (renamed a variable)
-rw-r--r-- | drivers/firewire/fw-device-cdev.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c index d02dbc5af91e..fab6dfbcca1b 100644 --- a/drivers/firewire/fw-device-cdev.c +++ b/drivers/firewire/fw-device-cdev.c | |||
@@ -711,7 +711,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) | |||
711 | struct fw_cdev_queue_iso request; | 711 | struct fw_cdev_queue_iso request; |
712 | struct fw_cdev_iso_packet __user *p, *end, *next; | 712 | struct fw_cdev_iso_packet __user *p, *end, *next; |
713 | struct fw_iso_context *ctx = client->iso_context; | 713 | struct fw_iso_context *ctx = client->iso_context; |
714 | unsigned long payload, payload_end, header_length; | 714 | unsigned long payload, buffer_end, header_length; |
715 | int count; | 715 | int count; |
716 | struct { | 716 | struct { |
717 | struct fw_iso_packet packet; | 717 | struct fw_iso_packet packet; |
@@ -732,11 +732,11 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) | |||
732 | * and the request.data pointer is ignored.*/ | 732 | * and the request.data pointer is ignored.*/ |
733 | 733 | ||
734 | payload = (unsigned long)request.data - client->vm_start; | 734 | payload = (unsigned long)request.data - client->vm_start; |
735 | payload_end = payload + (client->buffer.page_count << PAGE_SHIFT); | 735 | buffer_end = client->buffer.page_count << PAGE_SHIFT; |
736 | if (request.data == 0 || client->buffer.pages == NULL || | 736 | if (request.data == 0 || client->buffer.pages == NULL || |
737 | payload >= payload_end) { | 737 | payload >= buffer_end) { |
738 | payload = 0; | 738 | payload = 0; |
739 | payload_end = 0; | 739 | buffer_end = 0; |
740 | } | 740 | } |
741 | 741 | ||
742 | if (!access_ok(VERIFY_READ, request.packets, request.size)) | 742 | if (!access_ok(VERIFY_READ, request.packets, request.size)) |
@@ -773,7 +773,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) | |||
773 | if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT && | 773 | if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT && |
774 | u.packet.header_length + u.packet.payload_length > 0) | 774 | u.packet.header_length + u.packet.payload_length > 0) |
775 | return -EINVAL; | 775 | return -EINVAL; |
776 | if (payload + u.packet.payload_length > payload_end) | 776 | if (payload + u.packet.payload_length > buffer_end) |
777 | return -EINVAL; | 777 | return -EINVAL; |
778 | 778 | ||
779 | if (fw_iso_context_queue(ctx, &u.packet, | 779 | if (fw_iso_context_queue(ctx, &u.packet, |