diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-07-01 07:56:03 -0400 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-07-09 18:07:47 -0400 |
commit | 332ef3310bc37ff29fd4382d6dfb38a787078091 (patch) | |
tree | 63313482ee19fffea5900bacf52c1c660528f72a /drivers | |
parent | 9fb2dd12c019965ffd15e5a0727af14488b3a772 (diff) |
firewire: fw-sbp2: add a boundary check
Add rudimentary check for the case that the page table overflows due to
merging of s/g elements by the IOMMU. This would have lead to
overwriting of arbitrary memory.
After this change I expect that an offending command will be
unsuccessfully retried until the scsi_device is taken offline by SCSI
core. It's a border case and not worth to implement a recovery
strategy.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Kristian Høgsberg <krh@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/firewire/fw-sbp2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c index 212674d723e3..c7518ea4c8ee 100644 --- a/drivers/firewire/fw-sbp2.c +++ b/drivers/firewire/fw-sbp2.c | |||
@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb) | |||
937 | sg_len = sg_dma_len(sg + i); | 937 | sg_len = sg_dma_len(sg + i); |
938 | sg_addr = sg_dma_address(sg + i); | 938 | sg_addr = sg_dma_address(sg + i); |
939 | while (sg_len) { | 939 | while (sg_len) { |
940 | /* FIXME: This won't get us out of the pinch. */ | ||
941 | if (unlikely(j >= ARRAY_SIZE(orb->page_table))) { | ||
942 | fw_error("page table overflow\n"); | ||
943 | goto fail_page_table; | ||
944 | } | ||
940 | l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH); | 945 | l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH); |
941 | orb->page_table[j].low = sg_addr; | 946 | orb->page_table[j].low = sg_addr; |
942 | orb->page_table[j].high = (l << 16); | 947 | orb->page_table[j].high = (l << 16); |