Prevent reading from the ACPI_RESOURCE past its actual end. For

paranoia limit to the size of the ACPI_RESOURCE as well. Reviewd by: jhb (in spirit) MFC after: 1 week
author: mdf <mdf@FreeBSD.org> 2011-02-14 17:20:20 +0000
committer: mdf <mdf@FreeBSD.org> 2011-02-14 17:20:20 +0000
commit: d4670ff13ff2a47e6eee17c77ca086182166acf4 (patch)
tree: 984dfe1265803cc3cf9d68644612027e4e18a959
parent: b90f855a9dcc40bfad6eacda40a6fb2aa27b390d (diff)
download: FreeBSD-src-d4670ff13ff2a47e6eee17c77ca086182166acf4.zip
FreeBSD-src-d4670ff13ff2a47e6eee17c77ca086182166acf4.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/dev/acpica/acpi_resource.c b/sys/dev/acpica/acpi_resource.c
index d9132b0..645d746 100644
--- a/sys/dev/acpica/acpi_resource.c
+++ b/sys/dev/acpica/acpi_resource.c
@@ -60,6 +60,7 @@ static ACPI_STATUS
 acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
 {
     struct lookup_irq_request *req;
+    size_t len;
     u_int irqnum, irq;
 
     switch (res->Type) {
@@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
 	req->found = 1;
 	KASSERT(irq == rman_get_start(req->res),
 	    ("IRQ resources do not match"));
-	bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE));
+	len = res->Length;
+	if (len > sizeof(ACPI_RESOURCE))
+		len = sizeof(ACPI_RESOURCE);
+	bcopy(res, req->acpi_res, len);
 	return (AE_CTRL_TERMINATE);
     }
     return (AE_OK);
author	mdf <mdf@FreeBSD.org>	2011-02-14 17:20:20 +0000
committer	mdf <mdf@FreeBSD.org>	2011-02-14 17:20:20 +0000
commit	d4670ff13ff2a47e6eee17c77ca086182166acf4 (patch)
tree	984dfe1265803cc3cf9d68644612027e4e18a959
parent	b90f855a9dcc40bfad6eacda40a6fb2aa27b390d (diff)
download	FreeBSD-src-d4670ff13ff2a47e6eee17c77ca086182166acf4.zip FreeBSD-src-d4670ff13ff2a47e6eee17c77ca086182166acf4.tar.gz