firewire: fw-ohci: use of uninitialized data in AR handler header_length and payload_length are filled with random data if an unknown tcode was read from the AR buffer (i.e. if the AR buffer contained invalid data). We still need a better strategy to recover from this, but at least handle_ar_packet now doesn't return out of bound buffer addresses anymore. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

commit: ccff962943df539c5860aa120eecc189d70a308b [log] [tgz]
author: Stefan Richter <stefanr@s5r6.in-berlin.de> Sat May 31 19:36:06 2008 +0200
committer: Stefan Richter <stefanr@s5r6.in-berlin.de> Thu Jun 19 00:12:34 2008 +0200
tree: 645f031d3b751a30e20ce65e364948fb9426f7b2
parent: 0bf607c5b4edd13362e4add6ca1e81f8a9fbd47c [diff] [blame]
diff --git a/drivers/firewire/fw-ohci.c b/drivers/firewire/fw-ohci.c
index 4f02c55..b062e73 100644
--- a/drivers/firewire/fw-ohci.c
+++ b/drivers/firewire/fw-ohci.c

@@ -548,6 +548,11 @@
 		p.header_length = 12;
 		p.payload_length = 0;
 		break;
+
+	default:
+		/* FIXME: Stop context, discard everything, and restart? */
+		p.header_length = 0;
+		p.payload_length = 0;
 	}
 
 	p.payload = (void *) buffer + p.header_length;
commit	ccff962943df539c5860aa120eecc189d70a308b	[log] [tgz]
author	Stefan Richter <stefanr@s5r6.in-berlin.de>	Sat May 31 19:36:06 2008 +0200
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>	Thu Jun 19 00:12:34 2008 +0200
tree	645f031d3b751a30e20ce65e364948fb9426f7b2
parent	0bf607c5b4edd13362e4add6ca1e81f8a9fbd47c [diff] [blame]