From patchwork Tue Dec 23 01:11:03 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Robert Reif <reif@earthlink.net>
X-Patchwork-Id: 15408
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <sparclinux-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 94A4CDDD04
	for <patchwork-incoming@ozlabs.org>;
	Tue, 23 Dec 2008 12:11:11 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753275AbYLWBLK (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 22 Dec 2008 20:11:10 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753289AbYLWBLK
	(ORCPT <rfc822;sparclinux-outgoing>);
	Mon, 22 Dec 2008 20:11:10 -0500
Received: from pop-savannah.atl.sa.earthlink.net ([207.69.195.69]:35086 "EHLO
	pop-savannah.atl.sa.earthlink.net" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1753275AbYLWBLJ (ORCPT
	<rfc822;sparclinux@vger.kernel.org>);
	Mon, 22 Dec 2008 20:11:09 -0500
Received: from user-142h2k8.cable.mindspring.com ([72.40.138.136]
	helo=[192.168.0.90])
	by pop-savannah.atl.sa.earthlink.net with esmtp (Exim 3.36 #1)
	id 1LEvne-0002J0-00; Mon, 22 Dec 2008 20:11:06 -0500
Message-ID: <49503AA7.0@earthlink.net>
Date: Mon, 22 Dec 2008 20:11:03 -0500
From: Robert Reif <reif@earthlink.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.8.1.18) Gecko/20081030 SeaMonkey/1.1.13
MIME-Version: 1.0
To: "sparclinux@vger.kernel.org" <sparclinux@vger.kernel.org>
CC: David Miller <davem@davemloft.net>
Subject: [PATCH] fix array overrun check in of_device_64.c
Sender: sparclinux-owner@vger.kernel.org
Precedence: bulk
List-ID: <sparclinux.vger.kernel.org>
X-Mailing-List: sparclinux@vger.kernel.org

Do the array length check and fixup before copying the array.

Signed-off-by: Robert Reif <reif@earthlink.net>

diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c
index 0f616ae..46e231f 100644
--- a/arch/sparc/kernel/of_device_64.c
+++ b/arch/sparc/kernel/of_device_64.c
@@ -811,20 +811,20 @@ static struct of_device * __init scan_one_device(struct device_node *dp,
 
 	irq = of_get_property(dp, "interrupts", &len);
 	if (irq) {
-		memcpy(op->irqs, irq, len);
 		op->num_irqs = len / 4;
+
+		/* Prevent overrunning the op->irqs[] array.  */
+		if (op->num_irqs > PROMINTR_MAX) {
+			printk(KERN_WARNING "%s: Too many irqs (%d), "
+			       "limiting to %d.\n",
+			       dp->full_name, op->num_irqs, PROMINTR_MAX);
+			op->num_irqs = PROMINTR_MAX;
+		}
+		memcpy(op->irqs, irq, op->num_irqs * 4);
 	} else {
 		op->num_irqs = 0;
 	}
 
-	/* Prevent overrunning the op->irqs[] array.  */
-	if (op->num_irqs > PROMINTR_MAX) {
-		printk(KERN_WARNING "%s: Too many irqs (%d), "
-		       "limiting to %d.\n",
-		       dp->full_name, op->num_irqs, PROMINTR_MAX);
-		op->num_irqs = PROMINTR_MAX;
-	}
-
 	build_device_resources(op, parent);
 	for (i = 0; i < op->num_irqs; i++)
 		op->irqs[i] = build_one_device_irq(op, parent, op->irqs[i]);