spi/spidev: check message size before copying
authorDomen Puncer <domen.puncer@telargo.com>
Wed, 23 May 2007 20:57:39 +0000 (13:57 -0700)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Thu, 24 May 2007 03:14:12 +0000 (20:14 -0700)
Message size needs to be checked before copying, or bad things could
happen.

Signed-off-by: Domen Puncer <domen.puncer@telargo.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/spi/spidev.c

index 225d6b2f82ddcbc4a4e9031d072e23b2fada88a3..bcfef04f547e122084767751e4ced229e9f8c018 100644 (file)
@@ -168,6 +168,12 @@ static int spidev_message(struct spidev_data *spidev,
                        n--, k_tmp++, u_tmp++) {
                k_tmp->len = u_tmp->len;
 
+               total += k_tmp->len;
+               if (total > bufsiz) {
+                       status = -EMSGSIZE;
+                       goto done;
+               }
+
                if (u_tmp->rx_buf) {
                        k_tmp->rx_buf = buf;
                        if (!access_ok(VERIFY_WRITE, u_tmp->rx_buf, u_tmp->len))
@@ -179,12 +185,6 @@ static int spidev_message(struct spidev_data *spidev,
                                        u_tmp->len))
                                goto done;
                }
-
-               total += k_tmp->len;
-               if (total > bufsiz) {
-                       status = -EMSGSIZE;
-                       goto done;
-               }
                buf += k_tmp->len;
 
                k_tmp->cs_change = !!u_tmp->cs_change;