Fix buffer overflow in csr1212.c.

Signed-off-by: Steve Kinneberg <kberg@linux13294.org> Signed-off-by: Jody McIntyre <scjody@modernduck.com>

Fix buffer overflow in csr1212.c.
Signed-off-by: Steve Kinneberg <kberg@linux13294.org> Signed-off-by: Jody McIntyre <scjody@modernduck.com>
6cb08ca8 · Jody McIntyre · 8ae4054a · 6cb08ca8
Commit 6cb08ca8 authored Jan 29, 2005 by Jody McIntyre
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 2 deletions

drivers/ieee1394/csr1212.c drivers/ieee1394/csr1212.c +5 -2

No files found.
--- a/drivers/ieee1394/csr1212.c
+++ b/drivers/ieee1394/csr1212.c
@@ -1422,6 +1422,7 @@ int _csr1212_read_keyval(struct csr1212_csr *csr, struct csr1212_keyval *kv)

 	if (!cache) {
 		csr1212_quad_t q;
+		u_int32_t cache_size;

 		/* Only create a new cache for Extended ROM leaves. */
 		if (kv->key.id != CSR1212_KV_ID_EXTENDED_ROM)
@@ -1435,8 +1436,10 @@ int _csr1212_read_keyval(struct csr1212_csr *csr, struct csr1212_keyval *kv)

 		kv->value.leaf.len = CSR1212_BE32_TO_CPU(q) >> 16;

-		cache = csr1212_rom_cache_malloc(kv->offset,
-						 quads_to_bytes(kv->value.leaf.len + 1));
+		cache_size = (quads_to_bytes(kv->value.leaf.len + 1) +
+			      (csr->max_rom - 1)) & ~(csr->max_rom - 1);
+
+		cache = csr1212_rom_cache_malloc(kv->offset, cache_size);
 		if (!cache)
 			return CSR1212_ENOMEM;