diff options
| author | Lv Zheng <lv.zheng@intel.com> | 2013-11-20 23:17:34 -0500 |
|---|---|---|
| committer | Rafael J. Wysocki <rafael.j.wysocki@intel.com> | 2013-11-21 07:47:04 -0500 |
| commit | 9a0a35972591f91167556b4a61673d08ef07f310 (patch) | |
| tree | 81dc770c8618c8a8e5f6a147592cdd7a79b18565 /drivers/acpi/acpica/rscalc.c | |
| parent | c38f671e390fe0d1605b402a28b01b1dbf8e10b3 (diff) | |
ACPICA: Resources: Fix loop termination for the get AML length function.
The loop terminates on a NULL resource pointer, which can never
happen since the loop simply increments a valid resource pointer.
This fix changes the loop to terminate on an end-of-buffer condition.
Problem can be seen by callers to AcpiSetCurrentResources with an
invalid or corrupted resource descriptor; or a resource descriptor
without an END_TAG descriptor.
(refined by Bob Moore)
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lv Zheng <lv.zheng@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Diffstat (limited to 'drivers/acpi/acpica/rscalc.c')
| -rw-r--r-- | drivers/acpi/acpica/rscalc.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/drivers/acpi/acpica/rscalc.c b/drivers/acpi/acpica/rscalc.c index b62a0f4f4f9b..b60c9cf82862 100644 --- a/drivers/acpi/acpica/rscalc.c +++ b/drivers/acpi/acpica/rscalc.c | |||
| @@ -174,6 +174,7 @@ acpi_rs_stream_option_length(u32 resource_length, | |||
| 174 | * FUNCTION: acpi_rs_get_aml_length | 174 | * FUNCTION: acpi_rs_get_aml_length |
| 175 | * | 175 | * |
| 176 | * PARAMETERS: resource - Pointer to the resource linked list | 176 | * PARAMETERS: resource - Pointer to the resource linked list |
| 177 | * resource_list_size - Size of the resource linked list | ||
| 177 | * size_needed - Where the required size is returned | 178 | * size_needed - Where the required size is returned |
| 178 | * | 179 | * |
| 179 | * RETURN: Status | 180 | * RETURN: Status |
| @@ -185,16 +186,20 @@ acpi_rs_stream_option_length(u32 resource_length, | |||
| 185 | ******************************************************************************/ | 186 | ******************************************************************************/ |
| 186 | 187 | ||
| 187 | acpi_status | 188 | acpi_status |
| 188 | acpi_rs_get_aml_length(struct acpi_resource * resource, acpi_size * size_needed) | 189 | acpi_rs_get_aml_length(struct acpi_resource *resource, |
| 190 | acpi_size resource_list_size, acpi_size * size_needed) | ||
| 189 | { | 191 | { |
| 190 | acpi_size aml_size_needed = 0; | 192 | acpi_size aml_size_needed = 0; |
| 193 | struct acpi_resource *resource_end; | ||
| 191 | acpi_rs_length total_size; | 194 | acpi_rs_length total_size; |
| 192 | 195 | ||
| 193 | ACPI_FUNCTION_TRACE(rs_get_aml_length); | 196 | ACPI_FUNCTION_TRACE(rs_get_aml_length); |
| 194 | 197 | ||
| 195 | /* Traverse entire list of internal resource descriptors */ | 198 | /* Traverse entire list of internal resource descriptors */ |
| 196 | 199 | ||
| 197 | while (resource) { | 200 | resource_end = |
| 201 | ACPI_ADD_PTR(struct acpi_resource, resource, resource_list_size); | ||
| 202 | while (resource < resource_end) { | ||
| 198 | 203 | ||
| 199 | /* Validate the descriptor type */ | 204 | /* Validate the descriptor type */ |
| 200 | 205 | ||