Commit 62793444 authored by Michael Albaugh's avatar Michael Albaugh Committed by Roland Dreier

IB/ipath: Limit length checksummed in eeprom

The small eeprom that holds the GUID etc. contains a data-length, but if 
the actual eeprom is new or has been erased, that byte will be 0xFF,
which is greater than the maximum physical length of the eeprom, and
more importantly greater than the length of the buffer we vmalloc'd.
Sanity-check the length to avoid the possbility of reading past end of
buffer.
Signed-off-by: default avatarMichael Albaugh <Michael.Albaugh@Qlogic.com>
Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent fffbfeaa
......@@ -538,7 +538,15 @@ static u8 flash_csum(struct ipath_flash *ifp, int adjust)
u8 *ip = (u8 *) ifp;
u8 csum = 0, len;
for (len = 0; len < ifp->if_length; len++)
/*
* Limit length checksummed to max length of actual data.
* Checksum of erased eeprom will still be bad, but we avoid
* reading past the end of the buffer we were passed.
*/
len = ifp->if_length;
if (len > sizeof(struct ipath_flash))
len = sizeof(struct ipath_flash);
while (len--)
csum += *ip++;
csum -= ifp->if_csum;
csum = ~csum;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment