aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/acpi
diff options
context:
space:
mode:
authorLin Ming <ming.m.lin@intel.com>2010-04-26 23:46:25 -0400
committerLen Brown <len.brown@intel.com>2010-05-06 03:05:54 -0400
commit17b82327f3e7ab5a068f8019768008ee82d912be (patch)
treed92c9d290481a9e903d4fe6f6a2d12a03276aec7 /drivers/acpi
parent3fe50208b29b2463eb6c181c1433dd1beb39f282 (diff)
ACPICA: Prevent possible allocation overrun during object copy
Original code did not handle the case where the object to be copied was a namespace node. Signed-off-by: Lin Ming <ming.m.lin@intel.com> Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
Diffstat (limited to 'drivers/acpi')
-rw-r--r--drivers/acpi/acpica/utcopy.c14
1 files changed, 11 insertions, 3 deletions
diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
index 97ec3621e71d..6fef83f04bcd 100644
--- a/drivers/acpi/acpica/utcopy.c
+++ b/drivers/acpi/acpica/utcopy.c
@@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc,
677 u16 reference_count; 677 u16 reference_count;
678 union acpi_operand_object *next_object; 678 union acpi_operand_object *next_object;
679 acpi_status status; 679 acpi_status status;
680 acpi_size copy_size;
680 681
681 /* Save fields from destination that we don't want to overwrite */ 682 /* Save fields from destination that we don't want to overwrite */
682 683
683 reference_count = dest_desc->common.reference_count; 684 reference_count = dest_desc->common.reference_count;
684 next_object = dest_desc->common.next_object; 685 next_object = dest_desc->common.next_object;
685 686
686 /* Copy the entire source object over the destination object */ 687 /*
688 * Copy the entire source object over the destination object.
689 * Note: Source can be either an operand object or namespace node.
690 */
691 copy_size = sizeof(union acpi_operand_object);
692 if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) {
693 copy_size = sizeof(struct acpi_namespace_node);
694 }
687 695
688 ACPI_MEMCPY((char *)dest_desc, (char *)source_desc, 696 ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc),
689 sizeof(union acpi_operand_object)); 697 ACPI_CAST_PTR(char, source_desc), copy_size);
690 698
691 /* Restore the saved fields */ 699 /* Restore the saved fields */
692 700