diff options
author | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-07-23 13:02:54 +0200 |
---|---|---|
committer | Stefan Richter <stefanr@s5r6.in-berlin.de> | 2010-07-23 13:36:28 +0200 |
commit | 0c9ae701ae1caf657326db22d61074b40a747c9d (patch) | |
tree | 97eccc9b9941e71c471b5b3f32450c89f476093f /drivers/firewire/core-transaction.c | |
parent | cc550216ae9a2993ef3973464714dc1a39ab1f86 (diff) | |
download | linux-0c9ae701ae1caf657326db22d61074b40a747c9d.tar.gz linux-0c9ae701ae1caf657326db22d61074b40a747c9d.tar.bz2 linux-0c9ae701ae1caf657326db22d61074b40a747c9d.zip |
firewire: core: fix upper bound of possible CSR allocations
region->end is defined as an upper bound of the requested address range,
exclusive --- i.e. as an address outside of the range in which the
requested CSR is to be placed.
Hence 0x0001,0000,0000,0000 is the biggest valid region->end, not
0x0000,ffff,ffff,fffc like the current check asserted.
For simplicity, the fix drops the region->end & 3 test because there is
no actual problem with these bits set in region->end. The allocated
address range will be quadlet aligned and of a size of multiple quadlets
due to the checks for region->start & 3 and handler->length & 3 alone.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Diffstat (limited to 'drivers/firewire/core-transaction.c')
-rw-r--r-- | drivers/firewire/core-transaction.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c index 6f225cacbc3d..ca7ca56661e0 100644 --- a/drivers/firewire/core-transaction.c +++ b/drivers/firewire/core-transaction.c @@ -543,8 +543,8 @@ int fw_core_add_address_handler(struct fw_address_handler *handler, int ret = -EBUSY; if (region->start & 0xffff000000000003ULL || - region->end & 0xffff000000000003ULL || region->start >= region->end || + region->end > 0x0001000000000000ULL || handler->length & 3 || handler->length == 0) return -EINVAL; |