aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorDomen Puncer <domen.puncer@telargo.com>2007-05-23 16:57:39 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-05-23 23:14:12 -0400
commitda90fa8ff671a0139772ec3b3e82c06077e82122 (patch)
treebf648a91c12174ec0bd32a013cdfc63d62f70753 /drivers
parentb7add02d6247bff34005e040347d81777c80931c (diff)
spi/spidev: check message size before copying
Message size needs to be checked before copying, or bad things could happen. Signed-off-by: Domen Puncer <domen.puncer@telargo.com> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/spi/spidev.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index 225d6b2f82dd..bcfef04f547e 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -168,6 +168,12 @@ static int spidev_message(struct spidev_data *spidev,
168 n--, k_tmp++, u_tmp++) { 168 n--, k_tmp++, u_tmp++) {
169 k_tmp->len = u_tmp->len; 169 k_tmp->len = u_tmp->len;
170 170
171 total += k_tmp->len;
172 if (total > bufsiz) {
173 status = -EMSGSIZE;
174 goto done;
175 }
176
171 if (u_tmp->rx_buf) { 177 if (u_tmp->rx_buf) {
172 k_tmp->rx_buf = buf; 178 k_tmp->rx_buf = buf;
173 if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len)) 179 if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len))
@@ -179,12 +185,6 @@ static int spidev_message(struct spidev_data *spidev,
179 u_tmp->len)) 185 u_tmp->len))
180 goto done; 186 goto done;
181 } 187 }
182
183 total += k_tmp->len;
184 if (total > bufsiz) {
185 status = -EMSGSIZE;
186 goto done;
187 }
188 buf += k_tmp->len; 188 buf += k_tmp->len;
189 189
190 k_tmp->cs_change = !!u_tmp->cs_change; 190 k_tmp->cs_change = !!u_tmp->cs_change;