aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/firewire/fw-device-cdev.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/firewire/fw-device-cdev.c')
-rw-r--r--drivers/firewire/fw-device-cdev.c23
1 files changed, 19 insertions, 4 deletions
diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c
index 6284375c6390..1101ccd9b9c1 100644
--- a/drivers/firewire/fw-device-cdev.c
+++ b/drivers/firewire/fw-device-cdev.c
@@ -406,8 +406,12 @@ static int ioctl_create_iso_context(struct client *client, void __user *arg)
406 if (copy_from_user(&request, arg, sizeof request)) 406 if (copy_from_user(&request, arg, sizeof request))
407 return -EFAULT; 407 return -EFAULT;
408 408
409 if (request.type > FW_ISO_CONTEXT_RECEIVE)
410 return -EINVAL;
411
409 client->iso_context = fw_iso_context_create(client->device->card, 412 client->iso_context = fw_iso_context_create(client->device->card,
410 FW_ISO_CONTEXT_TRANSMIT, 413 request.type,
414 request.header_size,
411 iso_callback, client); 415 iso_callback, client);
412 if (IS_ERR(client->iso_context)) 416 if (IS_ERR(client->iso_context))
413 return PTR_ERR(client->iso_context); 417 return PTR_ERR(client->iso_context);
@@ -419,7 +423,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
419{ 423{
420 struct fw_cdev_queue_iso request; 424 struct fw_cdev_queue_iso request;
421 struct fw_cdev_iso_packet __user *p, *end, *next; 425 struct fw_cdev_iso_packet __user *p, *end, *next;
422 unsigned long payload, payload_end; 426 unsigned long payload, payload_end, header_length;
423 int count; 427 int count;
424 struct { 428 struct {
425 struct fw_iso_packet packet; 429 struct fw_iso_packet packet;
@@ -456,12 +460,23 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
456 while (p < end) { 460 while (p < end) {
457 if (__copy_from_user(&u.packet, p, sizeof *p)) 461 if (__copy_from_user(&u.packet, p, sizeof *p))
458 return -EFAULT; 462 return -EFAULT;
463
464 if (client->iso_context->type == FW_ISO_CONTEXT_TRANSMIT) {
465 header_length = u.packet.header_length;
466 } else {
467 /* We require that header_length is a multiple of
468 * the fixed header size, ctx->header_size */
469 if (u.packet.header_length % client->iso_context->header_size != 0)
470 return -EINVAL;
471 header_length = 0;
472 }
473
459 next = (struct fw_cdev_iso_packet __user *) 474 next = (struct fw_cdev_iso_packet __user *)
460 &p->header[u.packet.header_length / 4]; 475 &p->header[header_length / 4];
461 if (next > end) 476 if (next > end)
462 return -EINVAL; 477 return -EINVAL;
463 if (__copy_from_user 478 if (__copy_from_user
464 (u.packet.header, p->header, u.packet.header_length)) 479 (u.packet.header, p->header, header_length))
465 return -EFAULT; 480 return -EFAULT;
466 if (u.packet.skip && 481 if (u.packet.skip &&
467 u.packet.header_length + u.packet.payload_length > 0) 482 u.packet.header_length + u.packet.payload_length > 0)