diff options
author | Holger Dengler <hd@linux.vnet.ibm.com> | 2011-12-27 05:27:19 -0500 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2011-12-27 05:27:13 -0500 |
commit | 7fe6f0970cf87dfd71452f5ec7ea54654acc9d6f (patch) | |
tree | e10172ae7cbade8bf488d6053f5f4d7955a11b05 /drivers/s390 | |
parent | aa33c8cbbae2eb98489a3a363099b362146a8f4c (diff) |
[S390] zcrypt: Rework length parameter checking.
Fix length checking of the expected reply and remove re-adjustment of
expected control block length.
Signed-off-by: Holger Dengler <hd@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/crypto/zcrypt_pcixcc.c | 24 |
1 files changed, 6 insertions, 18 deletions
diff --git a/drivers/s390/crypto/zcrypt_pcixcc.c b/drivers/s390/crypto/zcrypt_pcixcc.c index dd4737808e06..646fb8f11512 100644 --- a/drivers/s390/crypto/zcrypt_pcixcc.c +++ b/drivers/s390/crypto/zcrypt_pcixcc.c | |||
@@ -56,11 +56,6 @@ | |||
56 | #define PCIXCC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ | 56 | #define PCIXCC_MAX_ICA_RESPONSE_SIZE 0x77c /* max size type86 v2 reply */ |
57 | 57 | ||
58 | #define PCIXCC_MAX_XCRB_MESSAGE_SIZE (12*1024) | 58 | #define PCIXCC_MAX_XCRB_MESSAGE_SIZE (12*1024) |
59 | #define PCIXCC_MAX_XCRB_RESPONSE_SIZE PCIXCC_MAX_XCRB_MESSAGE_SIZE | ||
60 | #define PCIXCC_MAX_XCRB_DATA_SIZE (11*1024) | ||
61 | #define PCIXCC_MAX_XCRB_REPLY_SIZE (5*1024) | ||
62 | |||
63 | #define PCIXCC_MAX_RESPONSE_SIZE PCIXCC_MAX_XCRB_RESPONSE_SIZE | ||
64 | 59 | ||
65 | #define PCIXCC_CLEANUP_TIME (15*HZ) | 60 | #define PCIXCC_CLEANUP_TIME (15*HZ) |
66 | 61 | ||
@@ -296,18 +291,11 @@ static int XCRB_msg_to_type6CPRB_msgX(struct zcrypt_device *zdev, | |||
296 | xcRB->request_data_length; | 291 | xcRB->request_data_length; |
297 | if (ap_msg->length > PCIXCC_MAX_XCRB_MESSAGE_SIZE) | 292 | if (ap_msg->length > PCIXCC_MAX_XCRB_MESSAGE_SIZE) |
298 | return -EFAULT; | 293 | return -EFAULT; |
299 | if (CEIL4(xcRB->reply_control_blk_length) > PCIXCC_MAX_XCRB_REPLY_SIZE) | 294 | replylen = sizeof(struct type86_fmt2_msg) + |
300 | return -EFAULT; | 295 | CEIL4(xcRB->reply_control_blk_length) + |
301 | if (CEIL4(xcRB->reply_data_length) > PCIXCC_MAX_XCRB_DATA_SIZE) | 296 | xcRB->reply_data_length; |
297 | if (replylen > PCIXCC_MAX_XCRB_MESSAGE_SIZE) | ||
302 | return -EFAULT; | 298 | return -EFAULT; |
303 | replylen = CEIL4(xcRB->reply_control_blk_length) + | ||
304 | CEIL4(xcRB->reply_data_length) + | ||
305 | sizeof(struct type86_fmt2_msg); | ||
306 | if (replylen > PCIXCC_MAX_XCRB_RESPONSE_SIZE) { | ||
307 | xcRB->reply_control_blk_length = PCIXCC_MAX_XCRB_RESPONSE_SIZE - | ||
308 | (sizeof(struct type86_fmt2_msg) + | ||
309 | CEIL4(xcRB->reply_data_length)); | ||
310 | } | ||
311 | 299 | ||
312 | /* prepare type6 header */ | 300 | /* prepare type6 header */ |
313 | msg->hdr = static_type6_hdrX; | 301 | msg->hdr = static_type6_hdrX; |
@@ -678,7 +666,7 @@ static void zcrypt_pcixcc_receive(struct ap_device *ap_dev, | |||
678 | break; | 666 | break; |
679 | case PCIXCC_RESPONSE_TYPE_XCRB: | 667 | case PCIXCC_RESPONSE_TYPE_XCRB: |
680 | length = t86r->fmt2.offset2 + t86r->fmt2.count2; | 668 | length = t86r->fmt2.offset2 + t86r->fmt2.count2; |
681 | length = min(PCIXCC_MAX_XCRB_RESPONSE_SIZE, length); | 669 | length = min(PCIXCC_MAX_XCRB_MESSAGE_SIZE, length); |
682 | memcpy(msg->message, reply->message, length); | 670 | memcpy(msg->message, reply->message, length); |
683 | break; | 671 | break; |
684 | default: | 672 | default: |
@@ -1043,7 +1031,7 @@ static int zcrypt_pcixcc_probe(struct ap_device *ap_dev) | |||
1043 | struct zcrypt_device *zdev; | 1031 | struct zcrypt_device *zdev; |
1044 | int rc = 0; | 1032 | int rc = 0; |
1045 | 1033 | ||
1046 | zdev = zcrypt_device_alloc(PCIXCC_MAX_RESPONSE_SIZE); | 1034 | zdev = zcrypt_device_alloc(PCIXCC_MAX_XCRB_MESSAGE_SIZE); |
1047 | if (!zdev) | 1035 | if (!zdev) |
1048 | return -ENOMEM; | 1036 | return -ENOMEM; |
1049 | zdev->ap_dev = ap_dev; | 1037 | zdev->ap_dev = ap_dev; |