From patchwork Wed Feb 11 22:55:40 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 22961 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 7D8EDDDDA8 for ; Thu, 12 Feb 2009 09:55:40 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755705AbZBKWzf (ORCPT ); Wed, 11 Feb 2009 17:55:35 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755536AbZBKWzf (ORCPT ); Wed, 11 Feb 2009 17:55:35 -0500 Received: from mail-bw0-f161.google.com ([209.85.218.161]:48293 "EHLO mail-bw0-f161.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755469AbZBKWze (ORCPT ); Wed, 11 Feb 2009 17:55:34 -0500 Received: by bwz5 with SMTP id 5so641522bwz.13 for ; Wed, 11 Feb 2009 14:55:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=aeSS26yrByVTatlZfXWyA6qk7dkHKNBwgrsMmKd8m6A=; b=HyoU7pK26Xl2NxfbLBplNXbRy9reOgywDYNaX/3zITSiO2FCoXJUeXk9xnFNQO7xsz THm9txywVZIGw5F3GSS0bORXorU64aF8VEcAsZxpYKf6L/+r2dWwnWX0RZsSr+YBYlh3 0bzDbrcygudOYKjsFrD84P9sgS/DaqTDvURkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=AgNd6WBgC6fscuedqfuE5B5DlpMdqlI9BtE5fIq+B+d7aaWa3H6/6n1tnW1rn5baDT k7/F+1k5OwuDM6LXvKCg2XXlxcJoBfUshbXrLOSpcETRK/YGEH6CiFu90O0bZDz9nCOb 6O7+W6JsJ6656y/J9Qgf/KcIk5Mh79sN0kkLs= Received: by 10.223.107.19 with SMTP id z19mr256639fao.27.1234392932395; Wed, 11 Feb 2009 14:55:32 -0800 (PST) Received: from ?192.168.1.115? (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id c4sm1692160nfi.60.2009.02.11.14.55.31 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 11 Feb 2009 14:55:32 -0800 (PST) Message-ID: <4993576C.8080409@gmail.com> Date: Wed, 11 Feb 2009 23:55:40 +0100 From: Roel Kluin User-Agent: Thunderbird 2.0.0.18 (X11/20081105) MIME-Version: 1.0 To: Jarek Poplawski CC: "David S. Miller" , netdev@vger.kernel.org, Andrew Morton , philb@gnu.org Subject: [PATCH] 3c505: do not set pcb->data.raw beyond its size References: <20090211133341.GB12362@ff.dom.local> <4992DF3C.7070802@gmail.com> <20090211171403.GA2539@ami.dom.local> <49932805.7050309@gmail.com> <20090211202755.GA2550@ami.dom.local> <20090211205854.GB2550@ami.dom.local> In-Reply-To: <20090211205854.GB2550@ami.dom.local> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Many thanks, Jarek, Is this changelog ok? ------------------------------>8----------------8<------------------------------ Ensure that we do not set pcb->data.raw beyond its size, print an error message and return false if we attempt to. A timout message was printed one too early. Signed-off-by: Roel Kluin --- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/3c505.c b/drivers/net/3c505.c index 6124605..a8107f9 100644 --- a/drivers/net/3c505.c +++ b/drivers/net/3c505.c @@ -493,21 +493,27 @@ static bool receive_pcb(struct net_device *dev, pcb_struct * pcb) } /* read the data */ spin_lock_irqsave(&adapter->lock, flags); - i = 0; - do { - j = 0; - while (((stat = get_status(dev->base_addr)) & ACRF) == 0 && j++ < 20000); - pcb->data.raw[i++] = inb_command(dev->base_addr); - if (i > MAX_PCB_DATA) - INVALID_PCB_MSG(i); - } while ((stat & ASF_PCB_MASK) != ASF_PCB_END && j < 20000); + for (i = 0; i < MAX_PCB_DATA; i++) { + for (j = 0; j < 20000; j++) { + stat = get_status(dev->base_addr); + if (stat & ACRF) + break; + } + pcb->data.raw[i] = inb_command(dev->base_addr); + if ((stat & ASF_PCB_MASK) == ASF_PCB_END || j >= 20000) + break; + } spin_unlock_irqrestore(&adapter->lock, flags); + if (i >= MAX_PCB_DATA) { + INVALID_PCB_MSG(i); + return false; + } if (j >= 20000) { TIMEOUT_MSG(__LINE__); return false; } - /* woops, the last "data" byte was really the length! */ - total_length = pcb->data.raw[--i]; + /* the last "data" byte was really the length! */ + total_length = pcb->data.raw[i]; /* safety check total length vs data length */ if (total_length != (pcb->length + 2)) {