Commit:     332ef3310bc37ff29fd4382d6dfb38a787078091
Parent:     9fb2dd12c019965ffd15e5a0727af14488b3a772
Author:     Stefan Richter <[EMAIL PROTECTED]>
AuthorDate: Sun Jul 1 13:56:03 2007 +0200
Committer:  Stefan Richter <[EMAIL PROTECTED]>
CommitDate: Tue Jul 10 00:07:47 2007 +0200

    firewire: fw-sbp2: add a boundary check
    Add rudimentary check for the case that the page table overflows due to
    merging of s/g elements by the IOMMU.  This would have lead to
    overwriting of arbitrary memory.
    After this change I expect that an offending command will be
    unsuccessfully retried until the scsi_device is taken offline by SCSI
    core.  It's a border case and not worth to implement a recovery
    Signed-off-by: Stefan Richter <[EMAIL PROTECTED]>
    Acked-by: Kristian Høgsberg <[EMAIL PROTECTED]>
 drivers/firewire/fw-sbp2.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/drivers/firewire/fw-sbp2.c b/drivers/firewire/fw-sbp2.c
index 212674d..c7518ea 100644
--- a/drivers/firewire/fw-sbp2.c
+++ b/drivers/firewire/fw-sbp2.c
@@ -937,6 +937,11 @@ static int sbp2_command_orb_map_scatterlist(struct 
sbp2_command_orb *orb)
                sg_len = sg_dma_len(sg + i);
                sg_addr = sg_dma_address(sg + i);
                while (sg_len) {
+                       /* FIXME: This won't get us out of the pinch. */
+                       if (unlikely(j >= ARRAY_SIZE(orb->page_table))) {
+                               fw_error("page table overflow\n");
+                               goto fail_page_table;
+                       }
                        l = min(sg_len, SBP2_MAX_SG_ELEMENT_LENGTH);
                        orb->page_table[j].low = sg_addr;
                        orb->page_table[j].high = (l << 16);
