From ef370ee74b7a9cb769d50bfb73b4023ee3e37719 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= Date: Wed, 28 Mar 2007 20:46:23 +0200 Subject: [PATCH] firewire: Fix the range check for the queue_iso payload pointer. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kristian Høgsberg Signed-off-by: Stefan Richter (renamed a variable) --- drivers/firewire/fw-device-cdev.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c index d02dbc5af91e..fab6dfbcca1b 100644 --- a/drivers/firewire/fw-device-cdev.c +++ b/drivers/firewire/fw-device-cdev.c @@ -711,7 +711,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) struct fw_cdev_queue_iso request; struct fw_cdev_iso_packet __user *p, *end, *next; struct fw_iso_context *ctx = client->iso_context; - unsigned long payload, payload_end, header_length; + unsigned long payload, buffer_end, header_length; int count; struct { struct fw_iso_packet packet; @@ -732,11 +732,11 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) * and the request.data pointer is ignored.*/ payload = (unsigned long)request.data - client->vm_start; - payload_end = payload + (client->buffer.page_count << PAGE_SHIFT); + buffer_end = client->buffer.page_count << PAGE_SHIFT; if (request.data == 0 || client->buffer.pages == NULL || - payload >= payload_end) { + payload >= buffer_end) { payload = 0; - payload_end = 0; + buffer_end = 0; } if (!access_ok(VERIFY_READ, request.packets, request.size)) @@ -773,7 +773,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg) if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT && u.packet.header_length + u.packet.payload_length > 0) return -EINVAL; - if (payload + u.packet.payload_length > payload_end) + if (payload + u.packet.payload_length > buffer_end) return -EINVAL; if (fw_iso_context_queue(ctx, &u.packet,