summaryrefslogtreecommitdiffstats
path: root/drivers/infiniband
diff options
context:
space:
mode:
authorMichael Albaugh <Michael.Albaugh@Qlogic.com>2007-10-18 19:36:40 +0200
committerRoland Dreier <rolandd@cisco.com>2007-10-30 18:58:53 +0100
commit627934448ec80f823eafd0a7d4b7541515d543a3 (patch)
treed29e64a2c7ac9d9b27d371911013c091a1b8f96f /drivers/infiniband
parentIB/ipath: Fix a race where s_last is updated without lock held (diff)
downloadlinux-627934448ec80f823eafd0a7d4b7541515d543a3.tar.xz
linux-627934448ec80f823eafd0a7d4b7541515d543a3.zip
IB/ipath: Limit length checksummed in eeprom
The small eeprom that holds the GUID etc. contains a data-length, but if the actual eeprom is new or has been erased, that byte will be 0xFF, which is greater than the maximum physical length of the eeprom, and more importantly greater than the length of the buffer we vmalloc'd. Sanity-check the length to avoid the possbility of reading past end of buffer. Signed-off-by: Michael Albaugh <Michael.Albaugh@Qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Diffstat (limited to 'drivers/infiniband')
-rw-r--r--drivers/infiniband/hw/ipath/ipath_eeprom.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/infiniband/hw/ipath/ipath_eeprom.c b/drivers/infiniband/hw/ipath/ipath_eeprom.c
index bcfa3ccb555f..e7c25dbbcdc9 100644
--- a/drivers/infiniband/hw/ipath/ipath_eeprom.c
+++ b/drivers/infiniband/hw/ipath/ipath_eeprom.c
@@ -538,7 +538,15 @@ static u8 flash_csum(struct ipath_flash *ifp, int adjust)
u8 *ip = (u8 *) ifp;
u8 csum = 0, len;
- for (len = 0; len < ifp->if_length; len++)
+ /*
+ * Limit length checksummed to max length of actual data.
+ * Checksum of erased eeprom will still be bad, but we avoid
+ * reading past the end of the buffer we were passed.
+ */
+ len = ifp->if_length;
+ if (len > sizeof(struct ipath_flash))
+ len = sizeof(struct ipath_flash);
+ while (len--)
csum += *ip++;
csum -= ifp->if_csum;
csum = ~csum;