aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/firewire
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2009-09-06 12:49:17 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2009-09-12 08:48:40 -0400
commit928ec5f148e729076e9202e7c78babede628a50c (patch)
tree2ad9c7263728d6f1ba91f69003873ed80e966328 /drivers/firewire
parent64549e9357e5222a73e41aa87372b37abb047720 (diff)
firewire: ohci: fix Self ID Count register mask (safeguard against buffer overflow)
The selfIDSize field of Self ID Count is 9 bits wide, and we are only interested in the high 8 bits. Fix the mask accordingly. The previously too large mask didn't do damage though because the next few bits in the register are reserved and therefore zero with presently existing hardware. Also, check for the maximum possible self ID count of 252 (according to OHCI 1.1 clause 11.2 and IEEE 1394a-2000 clause 4.3.4.1, i.e. up to four self IDs of up to 63 nodes, even though IEEE 1394 up to edition 2008 defines only up to three self IDs per node). More than 252 self IDs would only happen if the self ID receive DMA unit malfunctioned, which would likely be caught by other self ID buffer checks. However, check it early to be sure. More than 253 quadlets would overflow the Topology Map CSR. Reported-By: PaX Team Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire')
-rw-r--r--drivers/firewire/ohci.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
index 76b321bb73f9..5d524254499e 100644
--- a/drivers/firewire/ohci.c
+++ b/drivers/firewire/ohci.c
@@ -1279,8 +1279,8 @@ static void bus_reset_tasklet(unsigned long data)
1279 * the inverted quadlets and a header quadlet, we shift one 1279 * the inverted quadlets and a header quadlet, we shift one
1280 * bit extra to get the actual number of self IDs. 1280 * bit extra to get the actual number of self IDs.
1281 */ 1281 */
1282 self_id_count = (reg >> 3) & 0x3ff; 1282 self_id_count = (reg >> 3) & 0xff;
1283 if (self_id_count == 0) { 1283 if (self_id_count == 0 || self_id_count > 252) {
1284 fw_notify("inconsistent self IDs\n"); 1284 fw_notify("inconsistent self IDs\n");
1285 return; 1285 return;
1286 } 1286 }