diff options
author | Kristian Høgsberg <krh@redhat.com> | 2007-03-28 20:46:23 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-03-28 21:30:16 +0200 |
commit | ef370ee74b7a9cb769d50bfb73b4023ee3e37719 (patch) | |
tree | f5e2c9e3a05930a303f963e517ec6cbd8cdef690 /drivers/firewire | |
parent | c5dfd0a5b09bf20adf26b3242258679e305c39c8 (diff) | |
download | op-kernel-dev-ef370ee74b7a9cb769d50bfb73b4023ee3e37719.zip op-kernel-dev-ef370ee74b7a9cb769d50bfb73b4023ee3e37719.tar.gz |
firewire: Fix the range check for the queue_iso payload pointer.
Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (renamed a variable)
Diffstat (limited to 'drivers/firewire')
-rw-r--r-- | drivers/firewire/fw-device-cdev.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c index d02dbc5..fab6dfb 100644 --- a/drivers/firewire/fw-device-cdev.c +++ b/drivers/firewire/fw-device-cdev.c @@ -711,7 +711,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) struct fw_cdev_queue_iso request; struct fw_cdev_iso_packet __user *p, *end, *next; struct fw_iso_context *ctx = client->iso_context; - unsigned long payload, payload_end, header_length; + unsigned long payload, buffer_end, header_length; int count; struct { struct fw_iso_packet packet; @@ -732,11 +732,11 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) * and the request.data pointer is ignored.*/ payload = (unsigned long)request.data - client->vm_start; - payload_end = payload + (client->buffer.page_count << PAGE_SHIFT); + buffer_end = client->buffer.page_count << PAGE_SHIFT; if (request.data == 0 || client->buffer.pages == NULL || - payload >= payload_end) { + payload >= buffer_end) { payload = 0; - payload_end = 0; + buffer_end = 0; } if (!access_ok(VERIFY_READ, request.packets, request.size)) @@ -773,7 +773,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT && u.packet.header_length + u.packet.payload_length > 0) return -EINVAL; - if (payload + u.packet.payload_length > payload_end) + if (payload + u.packet.payload_length > buffer_end) return -EINVAL; if (fw_iso_context_queue(ctx, &u.packet, |