aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorStefan Richter <stefanr@s5r6.in-berlin.de>2007-07-01 07:56:03 -0400
committerStefan Richter <stefanr@s5r6.in-berlin.de>2007-07-09 18:07:47 -0400
commit332ef3310bc37ff29fd4382d6dfb38a787078091 (patch)
tree63313482ee19fffea5900bacf52c1c660528f72a /drivers
parent9fb2dd12c019965ffd15e5a0727af14488b3a772 (diff)
firewire: fw-sbp2: add a boundary check
Add rudimentary check for the case that the page table overflows due to merging of s/g elements by the IOMMU. This would have lead to overwriting of arbitrary memory. After this change I expect that an offending command will be unsuccessfully retried until the scsi_device is taken offline by SCSI core. It's a border case and not worth to implement a recovery strategy. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Acked-by: Kristian Høgsberg <krh@redhat.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/firewire/fw-sbp2.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c
index 212674d723e3..c7518ea4c8ee 100644
--- a/drivers/firewire/fw-sbp2.c
+++ b/drivers/firewire/fw-sbp2.c
@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb)
937 sg_len = sg_dma_len(sg + i); 937 sg_len = sg_dma_len(sg + i);
938 sg_addr = sg_dma_address(sg + i); 938 sg_addr = sg_dma_address(sg + i);
939 while (sg_len) { 939 while (sg_len) {
940 /* FIXME: This won't get us out of the pinch. */
941 if (unlikely(j >= ARRAY_SIZE(orb->page_table))) {
942 fw_error("page table overflow\n");
943 goto fail_page_table;
944 }
940 l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH); 945 l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH);
941 orb->page_table[j].low = sg_addr; 946 orb->page_table[j].low = sg_addr;
942 orb->page_table[j].high = (l << 16); 947 orb->page_table[j].high = (l << 16);