[PATCH] More 1394 updates

This incorporates security fixes from Alan that I brought from the 2.4.20-pre9 tree.

[PATCH] More 1394 updates
This incorporates security fixes from Alan that I brought from the 2.4.20-pre9 tree.
5e81feda · Ben Collins · 8e2cc1ed · 5e81feda · 5e81feda · 5e81feda
Commit 5e81feda authored Oct 03, 2002 by Ben Collins
Showing with 11 additions and 8 deletions

drivers/ieee1394/amdtp.c drivers/ieee1394/amdtp.c +5 -4

drivers/ieee1394/dv1394.c drivers/ieee1394/dv1394.c +4 -3

drivers/ieee1394/pcilynx.c drivers/ieee1394/pcilynx.c +2 -1

No files found.
--- a/drivers/ieee1394/amdtp.c
+++ b/drivers/ieee1394/amdtp.c
@@ -196,7 +196,7 @@ struct packet_list {
 /* This implements a circular buffer for incoming samples. */
 struct buffer {
-	int head, tail, length, size;
+	size_t head, tail, length, size;
 	unsigned char data[0];
 };
@@ -623,9 +623,9 @@ static unsigned char *buffer_get_bytes(struct buffer *buffer, int size)
 }
 static unsigned char *buffer_put_bytes(struct buffer *buffer,
-				       int max, int *actual)
+				       size_t max, size_t *actual)
 {
-	int length;
+	size_t length;
 	unsigned char *p;
 	p = &buffer->data[buffer->tail];
@@ -1089,7 +1089,8 @@ static ssize_t amdtp_write(struct file *file, const char *buffer, size_t count,
 {
 	struct stream *s = file->private_data;
 	unsigned char *p;
-	int i, length;
+	int i;
+	size_t length;
 	if (s->packet_pool == NULL)
 		return -EBADFD;

--- a/drivers/ieee1394/dv1394.c
+++ b/drivers/ieee1394/dv1394.c
@@ -2139,7 +2139,7 @@ static int dv1394_procfs_write( struct file *file,
 			const char *buffer, unsigned long count, void *data)
 {
 	int len = 0;
-	char new_value[64];
+	char new_value[65];
 	char *pos;
 	struct video_card *video = (struct video_card*) data;
@@ -2151,11 +2151,12 @@ static int dv1394_procfs_write( struct file *file,
 	if (copy_from_user( new_value, buffer, len))
 		return -EFAULT;
+	new_value[len] = 0;
 	pos = strchr(new_value, '=');
 	if (pos != NULL) {
 		int val_len = len - (pos-new_value) - 1;
-		char buf[64];
+		char buf[65];
-		memset(buf, 0, 64);
+		memset(buf, 0, 65);
 		strncpy(buf, pos+1, val_len);
 		if (buf[val_len-1] == '\n') buf[val_len-1] = 0;

--- a/drivers/ieee1394/pcilynx.c
+++ b/drivers/ieee1394/pcilynx.c
@@ -887,13 +887,14 @@ static ssize_t mem_read(struct file *file, char *buffer, size_t count,
        struct memdata *md = (struct memdata *)file->private_data;
        ssize_t bcount;
        size_t alignfix;
-        int off = (int)*offset; /* avoid useless 64bit-arithmetic */
+	loff_t off = *offset; /* avoid useless 64bit-arithmetic */
        ssize_t retval;
        void *membase;
 	if (*offset != off)	/* Check for EOF before we trust wrap */
 		return 0;
+	/* FIXME: Signed wrap is undefined in C - wants fixing up */
 	if (off + count > off)
 		return 0;