X-Git-Url: http://git.rot13.org/?a=blobdiff_plain;f=drivers%2Fieee1394%2Fraw1394.c;h=f1d05eeb9f5190216b68504dc78fcc1fb7ef38fe;hb=fcf75356e9cf0460ef47a5b756bc3b0951ecab59;hp=bb897a37d9f778cf2f64661c06069461d5d63fc5;hpb=ebbe46f73a11a667df59cb8e58b371c0a35f29d0;p=powerpc.git diff --git a/drivers/ieee1394/raw1394.c b/drivers/ieee1394/raw1394.c index bb897a37d9..f1d05eeb9f 100644 --- a/drivers/ieee1394/raw1394.c +++ b/drivers/ieee1394/raw1394.c @@ -35,7 +35,6 @@ #include #include #include -#include #include #include #include @@ -937,15 +936,18 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) struct hpsb_packet *packet; int header_length = req->req.misc & 0xffff; int expect_response = req->req.misc >> 16; + size_t data_size; - if ((header_length > req->req.length) || (header_length < 12)) { + if (header_length > req->req.length || header_length < 12 || + header_length > FIELD_SIZEOF(struct hpsb_packet, header)) { req->req.error = RAW1394_ERROR_INVALID_ARG; req->req.length = 0; queue_complete_req(req); return sizeof(struct raw1394_request); } - packet = hpsb_alloc_packet(req->req.length - header_length); + data_size = req->req.length - header_length; + packet = hpsb_alloc_packet(data_size); req->packet = packet; if (!packet) return -ENOMEM; @@ -960,7 +962,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) if (copy_from_user (packet->data, int2ptr(req->req.sendb) + header_length, - packet->data_size)) { + data_size)) { req->req.error = RAW1394_ERROR_MEMFAULT; req->req.length = 0; queue_complete_req(req); @@ -974,7 +976,7 @@ static int handle_async_send(struct file_info *fi, struct pending_request *req) packet->host = fi->host; packet->expect_response = expect_response; packet->header_size = header_length; - packet->data_size = req->req.length - header_length; + packet->data_size = data_size; req->req.length = 0; hpsb_set_packet_complete_task(packet,