aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/s390
diff options
context:
space:
mode:
authorHolger Dengler <hd@linux.vnet.ibm.com>2011-12-27 05:27:19 -0500
committerMartin Schwidefsky <schwidefsky@de.ibm.com>2011-12-27 05:27:13 -0500
commit7fe6f0970cf87dfd71452f5ec7ea54654acc9d6f (patch)
treee10172ae7cbade8bf488d6053f5f4d7955a11b05 /drivers/s390
parentaa33c8cbbae2eb98489a3a363099b362146a8f4c (diff)
[S390] zcrypt: Rework length parameter checking.
Fix length checking of the expected reply and remove re-adjustment of expected control block length. Signed-off-by: Holger Dengler <hd@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r--drivers/s390/crypto/zcrypt_pcixcc.c24
1 files changed, 6 insertions, 18 deletions
diff --git a/drivers/s390/crypto/zcrypt_pcixcc.c b/drivers/s390/crypto/zcrypt_pcixcc.c
index dd4737808e06..646fb8f11512 100644
--- a/drivers/s390/crypto/zcrypt_pcixcc.c
+++ b/drivers/s390/crypto/zcrypt_pcixcc.c
@@ -56,11 +56,6 @@
56#define PCIXCC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ 56#define PCIXCC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */
57 57
58#define PCIXCC_MAX_XCRB_MESSAGE_SIZE (12*1024) 58#define PCIXCC_MAX_XCRB_MESSAGE_SIZE (12*1024)
59#define PCIXCC_MAX_XCRB_RESPONSE_SIZE PCIXCC_MAX_XCRB_MESSAGE_SIZE
60#define PCIXCC_MAX_XCRB_DATA_SIZE (11*1024)
61#define PCIXCC_MAX_XCRB_REPLY_SIZE (5*1024)
62
63#define PCIXCC_MAX_RESPONSE_SIZE PCIXCC_MAX_XCRB_RESPONSE_SIZE
64 59
65#define PCIXCC_CLEANUP_TIME (15*HZ) 60#define PCIXCC_CLEANUP_TIME (15*HZ)
66 61
@@ -296,18 +291,11 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev,
296 xcRB->request_data_length; 291 xcRB->request_data_length;
297 if (ap_msg->length > PCIXCC_MAX_XCRB_MESSAGE_SIZE) 292 if (ap_msg->length > PCIXCC_MAX_XCRB_MESSAGE_SIZE)
298 return -EFAULT; 293 return -EFAULT;
299 if (CEIL4(xcRB->reply_control_blk_length) > PCIXCC_MAX_XCRB_REPLY_SIZE) 294 replylen = sizeof(struct type86_fmt2_msg) +
300 return -EFAULT; 295 CEIL4(xcRB->reply_control_blk_length) +
301 if (CEIL4(xcRB->reply_data_length) > PCIXCC_MAX_XCRB_DATA_SIZE) 296 xcRB->reply_data_length;
297 if (replylen > PCIXCC_MAX_XCRB_MESSAGE_SIZE)
302 return -EFAULT; 298 return -EFAULT;
303 replylen = CEIL4(xcRB->reply_control_blk_length) +
304 CEIL4(xcRB->reply_data_length) +
305 sizeof(struct type86_fmt2_msg);
306 if (replylen > PCIXCC_MAX_XCRB_RESPONSE_SIZE) {
307 xcRB->reply_control_blk_length = PCIXCC_MAX_XCRB_RESPONSE_SIZE -
308 (sizeof(struct type86_fmt2_msg) +
309 CEIL4(xcRB->reply_data_length));
310 }
311 299
312 /* prepare type6 header */ 300 /* prepare type6 header */
313 msg->hdr = static_type6_hdrX; 301 msg->hdr = static_type6_hdrX;
@@ -678,7 +666,7 @@ static void zcrypt_pcixcc_receive(struct ap_device *ap_dev,
678 break; 666 break;
679 case PCIXCC_RESPONSE_TYPE_XCRB: 667 case PCIXCC_RESPONSE_TYPE_XCRB:
680 length = t86r->fmt2.offset2 + t86r->fmt2.count2; 668 length = t86r->fmt2.offset2 + t86r->fmt2.count2;
681 length = min(PCIXCC_MAX_XCRB_RESPONSE_SIZE, length); 669 length = min(PCIXCC_MAX_XCRB_MESSAGE_SIZE, length);
682 memcpy(msg->message, reply->message, length); 670 memcpy(msg->message, reply->message, length);
683 break; 671 break;
684 default: 672 default:
@@ -1043,7 +1031,7 @@ static int zcrypt_pcixcc_probe(struct ap_device *ap_dev)
1043 struct zcrypt_device *zdev; 1031 struct zcrypt_device *zdev;
1044 int rc = 0; 1032 int rc = 0;
1045 1033
1046 zdev = zcrypt_device_alloc(PCIXCC_MAX_RESPONSE_SIZE); 1034 zdev = zcrypt_device_alloc(PCIXCC_MAX_XCRB_MESSAGE_SIZE);
1047 if (!zdev) 1035 if (!zdev)
1048 return -ENOMEM; 1036 return -ENOMEM;
1049 zdev->ap_dev = ap_dev; 1037 zdev->ap_dev = ap_dev;