]> err.no Git - linux-2.6/commitdiff
ieee1394: nodemgr: check info_length in ROM header earlier
authorStefan Richter <stefanr@s5r6.in-berlin.de>
Wed, 3 Jan 2007 18:32:13 +0000 (19:32 +0100)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Thu, 8 Feb 2007 19:59:03 +0000 (20:59 +0100)
The whole ROM area which is covered by the crc_length field of the ROM
header was fetched before the info_length field was checked for correct
general ROM format.  This might be wasteful or even dangerous with nodes
with minimal ROM, nonstandard ROM, or corrupt ROM.

Perform this check at the earliest opportunity.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
drivers/ieee1394/csr1212.c

index 889ea0dfe2dba28a6c48af9239dff1f831c95ff6..c28f639823d238c187f31daca9552f88c6ec188b 100644 (file)
@@ -1234,6 +1234,12 @@ static int csr1212_parse_bus_info_block(struct csr1212_csr *csr)
                                         csr->private);
                if (ret != CSR1212_SUCCESS)
                        return ret;
+
+               /* check ROM header's info_length */
+               if (i == 0 &&
+                   CSR1212_BE32_TO_CPU(csr->cache_head->data[0]) >> 24 !=
+                   bytes_to_quads(csr->bus_info_len) - 1)
+                       return CSR1212_EINVAL;
        }
 
        bi = (struct csr1212_bus_info_block_img*)csr->cache_head->data;
@@ -1250,9 +1256,6 @@ static int csr1212_parse_bus_info_block(struct csr1212_csr *csr)
                        return ret;
        }
 
-       if (bytes_to_quads(csr->bus_info_len - sizeof(csr1212_quad_t)) != bi->length)
-               return CSR1212_EINVAL;
-
 #if 0
        /* Apparently there are too many differnt wrong implementations of the
         * CRC algorithm that verifying them is moot. */