firewire: fw-ohci: use of uninitialized data in AR handler

header_length and payload_length are filled with random data if an
unknown tcode was read from the AR buffer (i.e. if the AR buffer
contained invalid data).

We still need a better strategy to recover from this, but at least
handle_ar_packet now doesn't return out of bound buffer addresses
anymore.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

1 files changed, 5 insertions, 0 deletions

diff --git a/drivers/firewire/fw-ohci.c b/drivers/firewire/fw-ohci.c
index 4f02c55f13e1..b062e736b786 100644
--- a/drivers/firewire/fw-ohci.c
+++ b/drivers/firewire/fw-ohci.c
@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer)
                 p.header_length = 12;
                 p.payload_length = 0;
                 break;
+
+        default:
+                /* FIXME: Stop context, discard everything, and restart? */
+                p.header_length = 0;
+                p.payload_length = 0;
         }
 
         p.payload = (void *) buffer + p.header_length;