From patchwork Wed Feb 26 13:30:34 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= <zajec5@gmail.com>
X-Patchwork-Id: 324422
Return-Path: 
 <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from casper.infradead.org (casper.infradead.org
	[IPv6:2001:770:15f::2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id BD9562C00A5
	for <incoming@patchwork.ozlabs.org>;
	Thu, 27 Feb 2014 00:31:29 +1100 (EST)
Received: from merlin.infradead.org ([2001:4978:20e::2])
	by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WIeZy-0001Dh-Hx; Wed, 26 Feb 2014 13:31:18 +0000
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WIeZx-00072P-1C; Wed, 26 Feb 2014 13:31:17 +0000
Received: from mail-ea0-x229.google.com ([2a00:1450:4013:c01::229])
	by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux))
	id 1WIeZt-00071n-D1
	for linux-mtd@lists.infradead.org; Wed, 26 Feb 2014 13:31:14 +0000
Received: by mail-ea0-f169.google.com with SMTP id d10so945102eaj.0
	for <linux-mtd@lists.infradead.org>;
	Wed, 26 Feb 2014 05:30:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:mime-version:content-type
	:content-transfer-encoding;
	bh=L247BLeJ2Yf08Aj36ZsTU6NRGa9xNWnP/U4STMAqFIU=;
	b=OKXNZf02CHPUEx9IDp9jTNSCeDB/73F/enS2X0b6HqHRzMkCHLuKcqKIUHAXtPkSzX
	RGbZYS08/aLKV16z+WAWRIiH/X88cY78zpWlQZEb3AHkW0JvZjLYLWCC2J9ZxGWGnwz3
	prZeuWkTvYsXk0efD88tNDBck2omVql9+ciUHDmG0opQ4pY+uTeKb78PJb+cjAud87xc
	85RvMrD9gLncOjYGJcI1YoEJ+xb4VX8P1L9x3tOnw3OrNapko5+nEkijEXJfOkJ4t0Qy
	xleGczLgAdK3yW+KvPVz10+bXN/ei23WmEQLYopINsiC80ZNsFxZvH4CL603GYjt4oC1
	2uVA==
X-Received: by 10.14.220.193 with SMTP id o41mr6963380eep.22.1393421450163;
	Wed, 26 Feb 2014 05:30:50 -0800 (PST)
Received: from linux-x91w.lan
	(ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233])
	by mx.google.com with ESMTPSA id
	u6sm3773390eep.11.2014.02.26.05.30.48 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 26 Feb 2014 05:30:49 -0800 (PST)
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
To: linux-mtd@lists.infradead.org,
	David Woodhouse <David.Woodhouse@intel.com>,
	Artem Bityutskiy <dedekind1@gmail.com>,
	Brian Norris <computersforpeace@gmail.com>
Subject: [PATCH] mtd: bcm47xxpart: avoid overflowing when registering trx
Date: Wed, 26 Feb 2014 14:30:34 +0100
Message-Id: <1393421434-23561-1-git-send-email-zajec5@gmail.com>
X-Mailer: git-send-email 1.8.4.5
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20140226_083113_605370_B4108B7E 
X-CRM114-Status: UNSURE (   9.55  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -1.8 (-)
X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary:
	Content analysis details:   (-1.8 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
	provider (zajec5[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends
	in digit (zajec5[at]gmail.com)
	-1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
	[score: 0.0000]
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Cc: Hauke Mehrtens <hauke@hauke-m.de>,
	=?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>,
	Florian Fainelli <florian@openwrt.org>
X-BeenThere: linux-mtd@lists.infradead.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-mtd/>
List-Post: <mailto:linux-mtd@lists.infradead.org>
List-Help: <mailto:linux-mtd-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-mtd>,
	<mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Our code parsing "trx" header registers few partitions at once (in one
loop iteration). Add extra check in that place.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
---
 drivers/mtd/bcm47xxpart.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/mtd/bcm47xxpart.c b/drivers/mtd/bcm47xxpart.c
index e388e69..23d7122 100644
--- a/drivers/mtd/bcm47xxpart.c
+++ b/drivers/mtd/bcm47xxpart.c
@@ -147,6 +147,11 @@ static int bcm47xxpart_parse(struct mtd_info *master,
 
 		/* TRX */
 		if (buf[0x000 / 4] == TRX_MAGIC) {
+			if (BCM47XXPART_MAX_PARTS - curr_part < 4) {
+				pr_warn("Not enough partitions left to register trx, scanning stopped!\n");
+				break;
+			}
+
 			trx = (struct trx_header *)buf;
 
 			trx_part = curr_part;