diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2008-05-31 19:36:06 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2008-06-19 00:12:34 +0200 |
commit | ccff962943df539c5860aa120eecc189d70a308b (patch) | |
tree | 645f031d3b751a30e20ce65e364948fb9426f7b2 | |
parent | firewire: don't panic on invalid AR request buffer (diff) | |
download | linux-ccff962943df539c5860aa120eecc189d70a308b.tar.xz linux-ccff962943df539c5860aa120eecc189d70a308b.zip |
firewire: fw-ohci: use of uninitialized data in AR handler
header_length and payload_length are filled with random data if an
unknown tcode was read from the AR buffer (i.e. if the AR buffer
contained invalid data).
We still need a better strategy to recover from this, but at least
handle_ar_packet now doesn't return out of bound buffer addresses
anymore.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
-rw-r--r-- | drivers/firewire/fw-ohci.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/firewire/fw-ohci.c b/drivers/firewire/fw-ohci.c index 4f02c55f13e1..b062e736b786 100644 --- a/drivers/firewire/fw-ohci.c +++ b/drivers/firewire/fw-ohci.c @@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer) p.header_length = 12; p.payload_length = 0; break; + + default: + /* FIXME: Stop context, discard everything, and restart? */ + p.header_length = 0; + p.payload_length = 0; } p.payload = (void *) buffer + p.header_length; |