diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-07-01 13:56:03 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2007-07-10 00:07:47 +0200 |
commit | 332ef3310bc37ff29fd4382d6dfb38a787078091 (patch) | |
tree | 63313482ee19fffea5900bacf52c1c660528f72a /drivers/firewire | |
parent | 9fb2dd12c019965ffd15e5a0727af14488b3a772 (diff) |
firewire: fw-sbp2: add a boundary check
Add rudimentary check for the case that the page table overflows due to
merging of s/g elements by the IOMMU. This would have lead to
overwriting of arbitrary memory.
After this change I expect that an offending command will be
unsuccessfully retried until the scsi_device is taken offline by SCSI
core. It's a border case and not worth to implement a recovery
strategy.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Acked-by: Kristian Høgsberg <krh@redhat.com>
Diffstat (limited to 'drivers/firewire')
-rw-r--r-- | drivers/firewire/fw-sbp2.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c index 212674d723e3..c7518ea4c8ee 100644 --- a/drivers/firewire/fw-sbp2.c +++ b/drivers/firewire/fw-sbp2.c @@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct sbp2_command_orb *orb) sg_len = sg_dma_len(sg + i); sg_addr = sg_dma_address(sg + i); while (sg_len) { + /* FIXME: This won't get us out of the pinch. */ + if (unlikely(j >= ARRAY_SIZE(orb->page_table))) { + fw_error("page table overflow\n"); + goto fail_page_table; + } l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH); orb->page_table[j].low = sg_addr; orb->page_table[j].high = (l << 16); |