diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2008-12-14 13:21:01 -0500 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2009-03-24 15:56:38 -0400 |
commit | 3e0b5f0d7cb5fef402517e41eebff5a0f0e65a13 (patch) | |
tree | b712284afebff56dd2e104242f4e6665aaf6c8e4 /drivers/firewire | |
parent | 45ee3199eb3e4233b755a9bb353a0527a4c58b5f (diff) |
firewire: cdev: address handler input validation
Like before my commit 1415d9189e8c59aa9c77a3bba419dcea062c145f,
fw_core_add_address_handler() does not align the address region now.
Instead the caller is required to pass valid parameters.
Since one of the callers of fw_core_add_address_handler() is the cdev
userspace interface, we now check for valid input. If the client is
buggy, we give it a hint with -EINVAL.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire')
-rw-r--r-- | drivers/firewire/fw-cdev.c | 5 | ||||
-rw-r--r-- | drivers/firewire/fw-transaction.c | 27 |
2 files changed, 21 insertions, 11 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c index 094aee5c8bcf..44af45205dcd 100644 --- a/drivers/firewire/fw-cdev.c +++ b/drivers/firewire/fw-cdev.c | |||
@@ -591,9 +591,10 @@ static int ioctl_allocate(struct client *client, void *buffer) | |||
591 | handler->closure = request->closure; | 591 | handler->closure = request->closure; |
592 | handler->client = client; | 592 | handler->client = client; |
593 | 593 | ||
594 | if (fw_core_add_address_handler(&handler->handler, ®ion) < 0) { | 594 | ret = fw_core_add_address_handler(&handler->handler, ®ion); |
595 | if (ret < 0) { | ||
595 | kfree(handler); | 596 | kfree(handler); |
596 | return -EBUSY; | 597 | return ret; |
597 | } | 598 | } |
598 | 599 | ||
599 | handler->resource.release = release_address_handler; | 600 | handler->resource.release = release_address_handler; |
diff --git a/drivers/firewire/fw-transaction.c b/drivers/firewire/fw-transaction.c index 699ac041f39a..12a6cdcb4475 100644 --- a/drivers/firewire/fw-transaction.c +++ b/drivers/firewire/fw-transaction.c | |||
@@ -449,16 +449,19 @@ const struct fw_address_region fw_unit_space_region = | |||
449 | #endif /* 0 */ | 449 | #endif /* 0 */ |
450 | 450 | ||
451 | /** | 451 | /** |
452 | * Allocate a range of addresses in the node space of the OHCI | 452 | * fw_core_add_address_handler - register for incoming requests |
453 | * controller. When a request is received that falls within the | 453 | * @handler: callback |
454 | * specified address range, the specified callback is invoked. The | 454 | * @region: region in the IEEE 1212 node space address range |
455 | * parameters passed to the callback give the details of the | 455 | * |
456 | * particular request. | 456 | * region->start, ->end, and handler->length have to be quadlet-aligned. |
457 | * | ||
458 | * When a request is received that falls within the specified address range, | ||
459 | * the specified callback is invoked. The parameters passed to the callback | ||
460 | * give the details of the particular request. | ||
457 | * | 461 | * |
458 | * Return value: 0 on success, non-zero otherwise. | 462 | * Return value: 0 on success, non-zero otherwise. |
459 | * The start offset of the handler's address region is determined by | 463 | * The start offset of the handler's address region is determined by |
460 | * fw_core_add_address_handler() and is returned in handler->offset. | 464 | * fw_core_add_address_handler() and is returned in handler->offset. |
461 | * The offset is quadlet-aligned. | ||
462 | */ | 465 | */ |
463 | int | 466 | int |
464 | fw_core_add_address_handler(struct fw_address_handler *handler, | 467 | fw_core_add_address_handler(struct fw_address_handler *handler, |
@@ -468,17 +471,23 @@ fw_core_add_address_handler(struct fw_address_handler *handler, | |||
468 | unsigned long flags; | 471 | unsigned long flags; |
469 | int ret = -EBUSY; | 472 | int ret = -EBUSY; |
470 | 473 | ||
474 | if (region->start & 0xffff000000000003ULL || | ||
475 | region->end & 0xffff000000000003ULL || | ||
476 | region->start >= region->end || | ||
477 | handler->length & 3 || | ||
478 | handler->length == 0) | ||
479 | return -EINVAL; | ||
480 | |||
471 | spin_lock_irqsave(&address_handler_lock, flags); | 481 | spin_lock_irqsave(&address_handler_lock, flags); |
472 | 482 | ||
473 | handler->offset = roundup(region->start, 4); | 483 | handler->offset = region->start; |
474 | while (handler->offset + handler->length <= region->end) { | 484 | while (handler->offset + handler->length <= region->end) { |
475 | other = | 485 | other = |
476 | lookup_overlapping_address_handler(&address_handler_list, | 486 | lookup_overlapping_address_handler(&address_handler_list, |
477 | handler->offset, | 487 | handler->offset, |
478 | handler->length); | 488 | handler->length); |
479 | if (other != NULL) { | 489 | if (other != NULL) { |
480 | handler->offset = | 490 | handler->offset += other->length; |
481 | roundup(other->offset + other->length, 4); | ||
482 | } else { | 491 | } else { |
483 | list_add_tail(&handler->link, &address_handler_list); | 492 | list_add_tail(&handler->link, &address_handler_list); |
484 | ret = 0; | 493 | ret = 0; |