diff options
author | Bob Moore <robert.moore@intel.com> | 2008-04-10 17:06:39 +0200 |
---|---|---|
committer | Len Brown <len.brown@intel.com> | 2008-04-22 20:29:25 +0200 |
commit | 98af37fba9b3e601ca4bded51ef51a2be4e8c97b (patch) | |
tree | 8a162d4b1950935570081f59e500086795362558 /drivers/acpi/executer/exconfig.c | |
parent | ACPICA: Fix for memory leak related to DdbHandle objects (diff) | |
download | linux-98af37fba9b3e601ca4bded51ef51a2be4e8c97b.tar.xz linux-98af37fba9b3e601ca4bded51ef51a2be4e8c97b.zip |
ACPICA: Add a table checksum verify for Load operator
Added a table checksum verification for the Load operator, in
the case where the load is from a buffer.
http://www.acpica.org/bugzilla/show_bug.cgi?id=578
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Diffstat (limited to 'drivers/acpi/executer/exconfig.c')
-rw-r--r-- | drivers/acpi/executer/exconfig.c | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/drivers/acpi/executer/exconfig.c b/drivers/acpi/executer/exconfig.c index a0f34b467a22..dbf1e6f33bba 100644 --- a/drivers/acpi/executer/exconfig.c +++ b/drivers/acpi/executer/exconfig.c @@ -275,6 +275,7 @@ acpi_ex_load_op(union acpi_operand_object *obj_desc, struct acpi_table_desc table_desc; acpi_native_uint table_index; acpi_status status; + u32 length; ACPI_FUNCTION_TRACE(ex_load_op); @@ -322,18 +323,35 @@ acpi_ex_load_op(union acpi_operand_object *obj_desc, "Load from Buffer or Field %p %s\n", obj_desc, acpi_ut_get_object_type_name(obj_desc))); + length = obj_desc->buffer.length; + + /* Must have at least an ACPI table header */ + + if (length < sizeof(struct acpi_table_header)) { + return_ACPI_STATUS(AE_INVALID_TABLE_LENGTH); + } + + /* Validate checksum here. It won't get validated in tb_add_table */ + + status = acpi_tb_verify_checksum((struct acpi_table_header *) + obj_desc->buffer.pointer, + length); + if (ACPI_FAILURE(status)) { + return_ACPI_STATUS(status); + } + /* * We need to copy the buffer since the original buffer could be * changed or deleted in the future */ - table_desc.pointer = ACPI_ALLOCATE(obj_desc->buffer.length); + table_desc.pointer = ACPI_ALLOCATE(length); if (!table_desc.pointer) { return_ACPI_STATUS(AE_NO_MEMORY); } ACPI_MEMCPY(table_desc.pointer, obj_desc->buffer.pointer, - obj_desc->buffer.length); - table_desc.length = obj_desc->buffer.length; + length); + table_desc.length = length; table_desc.flags = ACPI_TABLE_ORIGIN_ALLOCATED; break; |