[PATCH] firewire: fw-ohci: use of uninitialized data in AR handler

From: Stefan Richter
Date: Sat May 31 2008 - 13:36:57 EST

Next message: Greg KH: "Re: via agp patches"
Previous message: Ilpo Järvinen: "Re: [bug] stuck localhost TCP connections, v2.6.26-rc3+"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

header_length and payload_length are filled with random data if an
unknown tcode was read from the AR buffer (i.e. if the AR buffer
contained invalid data).

We still need a better strategy to recover from this, but at least
handle_ar_packet now doesn't return out of bound buffer addresses
anymore.

Signed-off-by: Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>
---
drivers/firewire/fw-ohci.c | 5 +++++
1 file changed, 5 insertions(+)

Index: linux/drivers/firewire/fw-ohci.c
===================================================================
--- linux.orig/drivers/firewire/fw-ohci.c
+++ linux/drivers/firewire/fw-ohci.c
@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct a
p.header_length = 12;
p.payload_length = 0;
break;
+
+ default:
+ /* FIXME: Stop context, discard everything, and restart? */
+ p.header_length = 0;
+ p.payload_length = 0;
}

p.payload = (void *) buffer + p.header_length;

--
Stefan Richter
-=====-==--- -=-= =====
http://arcgraph.de/sr/

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "Re: via agp patches"
Previous message: Ilpo Järvinen: "Re: [bug] stuck localhost TCP connections, v2.6.26-rc3+"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]