From d4670ff13ff2a47e6eee17c77ca086182166acf4 Mon Sep 17 00:00:00 2001
From: mdf <mdf@FreeBSD.org>
Date: Mon, 14 Feb 2011 17:20:20 +0000
Subject: Prevent reading from the ACPI_RESOURCE past its actual end.  For
 paranoia limit to the size of the ACPI_RESOURCE as well.

Reviewd by:	jhb (in spirit)
MFC after:	1 week
---
 sys/dev/acpica/acpi_resource.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'sys/dev/acpica/acpi_resource.c')

diff --git a/sys/dev/acpica/acpi_resource.c b/sys/dev/acpica/acpi_resource.c
index d9132b0..645d746 100644
--- a/sys/dev/acpica/acpi_resource.c
+++ b/sys/dev/acpica/acpi_resource.c
@@ -60,6 +60,7 @@ static ACPI_STATUS
 acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
 {
     struct lookup_irq_request *req;
+    size_t len;
     u_int irqnum, irq;
 
     switch (res->Type) {
@@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context)
 	req->found = 1;
 	KASSERT(irq == rman_get_start(req->res),
 	    ("IRQ resources do not match"));
-	bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE));
+	len = res->Length;
+	if (len > sizeof(ACPI_RESOURCE))
+		len = sizeof(ACPI_RESOURCE);
+	bcopy(res, req->acpi_res, len);
 	return (AE_CTRL_TERMINATE);
     }
     return (AE_OK);
-- 
cgit v1.1