projects
/
firefly-linux-kernel-4.4.55.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
rk_fiq_debugger: map signal irq for fiq mode
[firefly-linux-kernel-4.4.55.git]
/
drivers
/
scsi
/
aacraid
/
commctrl.c
diff --git
a/drivers/scsi/aacraid/commctrl.c
b/drivers/scsi/aacraid/commctrl.c
index 54195a117f72e1f29241b1d079eb8de96e0df056..f78cc943d230eb251c88e275f939cbd5fd6943f2 100644
(file)
--- a/
drivers/scsi/aacraid/commctrl.c
+++ b/
drivers/scsi/aacraid/commctrl.c
@@
-63,7
+63,7
@@
static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
struct fib *fibptr;
struct hw_fib * hw_fib = (struct hw_fib *)0;
dma_addr_t hw_fib_pa = (dma_addr_t)0LL;
- unsigned size;
+ unsigned
int size, o
size;
int retval;
if (dev->in_reset) {
int retval;
if (dev->in_reset) {
@@
-87,7
+87,8
@@
static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
* will not overrun the buffer when we copy the memory. Return
* an error if we would.
*/
- size = le16_to_cpu(kfib->header.Size) + sizeof(struct aac_fibhdr);
+ osize = size = le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr);
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
if (size < le16_to_cpu(kfib->header.SenderSize))
size = le16_to_cpu(kfib->header.SenderSize);
if (size > dev->max_fib_size) {
@@
-118,6
+119,14
@@
static int ioctl_send_fib(struct aac_dev * dev, void __user *arg)
goto cleanup;
}
goto cleanup;
}
+ /* Sanity check the second copy */
+ if ((osize != le16_to_cpu(kfib->header.Size) +
+ sizeof(struct aac_fibhdr))
+ || (size < le16_to_cpu(kfib->header.SenderSize))) {
+ retval = -EINVAL;
+ goto cleanup;
+ }
+
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*
if (kfib->header.Command == cpu_to_le16(TakeABreakPt)) {
aac_adapter_interrupt(dev);
/*