Date: Mon, 14 Feb 2011 17:20:20 +0000 (UTC) From: Matthew D Fleming <mdf@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r218685 - head/sys/dev/acpica Message-ID: <201102141720.p1EHKKeU000451@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mdf Date: Mon Feb 14 17:20:20 2011 New Revision: 218685 URL: http://svn.freebsd.org/changeset/base/218685 Log: Prevent reading from the ACPI_RESOURCE past its actual end. For paranoia limit to the size of the ACPI_RESOURCE as well. Reviewd by: jhb (in spirit) MFC after: 1 week Modified: head/sys/dev/acpica/acpi_resource.c Modified: head/sys/dev/acpica/acpi_resource.c ============================================================================== --- head/sys/dev/acpica/acpi_resource.c Mon Feb 14 16:54:03 2011 (r218684) +++ head/sys/dev/acpica/acpi_resource.c Mon Feb 14 17:20:20 2011 (r218685) @@ -60,6 +60,7 @@ static ACPI_STATUS acpi_lookup_irq_handler(ACPI_RESOURCE *res, void *context) { struct lookup_irq_request *req; + size_t len; u_int irqnum, irq; switch (res->Type) { @@ -82,7 +83,10 @@ acpi_lookup_irq_handler(ACPI_RESOURCE *r req->found = 1; KASSERT(irq == rman_get_start(req->res), ("IRQ resources do not match")); - bcopy(res, req->acpi_res, sizeof(ACPI_RESOURCE)); + len = res->Length; + if (len > sizeof(ACPI_RESOURCE)) + len = sizeof(ACPI_RESOURCE); + bcopy(res, req->acpi_res, len); return (AE_CTRL_TERMINATE); } return (AE_OK);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102141720.p1EHKKeU000451>