firewire: fw-ohci: use of uninitialized data in AR handler
authorStefan Richter <stefanr@s5r6.in-berlin.de>
Sat, 31 May 2008 17:36:06 +0000 (19:36 +0200)
committerStefan Richter <stefanr@s5r6.in-berlin.de>
Wed, 18 Jun 2008 22:12:34 +0000 (00:12 +0200)
header_length and payload_length are filled with random data if an
unknown tcode was read from the AR buffer (i.e. if the AR buffer
contained invalid data).

We still need a better strategy to recover from this, but at least
handle_ar_packet now doesn't return out of bound buffer addresses
anymore.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
drivers/firewire/fw-ohci.c

index 4f02c55f13e15131b95bc615e540e2931ad63d96..b062e736b78619811016c5b1fd0466c399a82a3f 100644 (file)
@@ -548,6 +548,11 @@ static __le32 *handle_ar_packet(struct ar_context *ctx, __le32 *buffer)
                p.header_length = 12;
                p.payload_length = 0;
                break;
+
+       default:
+               /* FIXME: Stop context, discard everything, and restart? */
+               p.header_length = 0;
+               p.payload_length = 0;
        }
 
        p.payload = (void *) buffer + p.header_length;