Commit:     627934448ec80f823eafd0a7d4b7541515d543a3
Parent:     fffbfeaa680e2b87a591e141f2aa7e9e91184956
Author:     Michael Albaugh <[EMAIL PROTECTED]>
AuthorDate: Thu Oct 18 10:36:40 2007 -0700
Committer:  Roland Dreier <[EMAIL PROTECTED]>
CommitDate: Tue Oct 30 10:58:53 2007 -0700

    IB/ipath: Limit length checksummed in eeprom
    The small eeprom that holds the GUID etc. contains a data-length, but if
    the actual eeprom is new or has been erased, that byte will be 0xFF,
    which is greater than the maximum physical length of the eeprom, and
    more importantly greater than the length of the buffer we vmalloc'd.
    Sanity-check the length to avoid the possbility of reading past end of
    Signed-off-by: Michael Albaugh <[EMAIL PROTECTED]>
    Signed-off-by: Roland Dreier <[EMAIL PROTECTED]>
 drivers/infiniband/hw/ipath/ipath_eeprom.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/ipath/ipath_eeprom.c 
index bcfa3cc..e7c25db 100644
--- a/drivers/infiniband/hw/ipath/ipath_eeprom.c
+++ b/drivers/infiniband/hw/ipath/ipath_eeprom.c
@@ -538,7 +538,15 @@ static u8 flash_csum(struct ipath_flash *ifp, int adjust)
        u8 *ip = (u8 *) ifp;
        u8 csum = 0, len;
-       for (len = 0; len < ifp->if_length; len++)
+       /*
+        * Limit length checksummed to max length of actual data.
+        * Checksum of erased eeprom will still be bad, but we avoid
+        * reading past the end of the buffer we were passed.
+        */
+       len = ifp->if_length;
+       if (len > sizeof(struct ipath_flash))
+               len = sizeof(struct ipath_flash);
+       while (len--)
                csum += *ip++;
        csum -= ifp->if_csum;
        csum = ~csum;
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at

Reply via email to