Commit ccff9629 authored by Stefan Richter's avatar Stefan Richter

firewire: fw-ohci: use of uninitialized data in AR handler

header_length and payload_length are filled with random data if an
unknown tcode was read from the AR buffer (i.e. if the AR buffer
contained invalid data).

We still need a better strategy to recover from this, but at least
handle_ar_packet now doesn't return out of bound buffer addresses
anymore.
Signed-off-by: default avatarStefan Richter <stefanr@s5r6.in-berlin.de>
parent 0bf607c5
...@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer) ...@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer)
p.header_length = 12; p.header_length = 12;
p.payload_length = 0; p.payload_length = 0;
break; break;
default:
/* FIXME: Stop context, discard everything, and restart? */
p.header_length = 0;
p.payload_length = 0;
} }
p.payload = (void *) buffer + p.header_length; p.payload = (void *) buffer + p.header_length;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment