From 9a0a35972591f91167556b4a61673d08ef07f310 Mon Sep 17 00:00:00 2001 From: Lv Zheng Date: Thu, 21 Nov 2013 12:17:34 +0800 Subject: ACPICA: Resources: Fix loop termination for the get AML length function. The loop terminates on a NULL resource pointer, which can never happen since the loop simply increments a valid resource pointer. This fix changes the loop to terminate on an end-of-buffer condition. Problem can be seen by callers to AcpiSetCurrentResources with an invalid or corrupted resource descriptor; or a resource descriptor without an END_TAG descriptor. (refined by Bob Moore) Reported-by: Dan Carpenter Signed-off-by: Lv Zheng Signed-off-by: Bob Moore Signed-off-by: Rafael J. Wysocki --- drivers/acpi/acpica/rscalc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'drivers/acpi/acpica/rscalc.c') diff --git a/drivers/acpi/acpica/rscalc.c b/drivers/acpi/acpica/rscalc.c index b62a0f4f4f9b..b60c9cf82862 100644 --- a/drivers/acpi/acpica/rscalc.c +++ b/drivers/acpi/acpica/rscalc.c @@ -174,6 +174,7 @@ acpi_rs_stream_option_length(u32 resource_length, * FUNCTION: acpi_rs_get_aml_length * * PARAMETERS: resource - Pointer to the resource linked list + * resource_list_size - Size of the resource linked list * size_needed - Where the required size is returned * * RETURN: Status @@ -185,16 +186,20 @@ acpi_rs_stream_option_length(u32 resource_length, ******************************************************************************/ acpi_status -acpi_rs_get_aml_length(struct acpi_resource * resource, acpi_size * size_needed) +acpi_rs_get_aml_length(struct acpi_resource *resource, + acpi_size resource_list_size, acpi_size * size_needed) { acpi_size aml_size_needed = 0; + struct acpi_resource *resource_end; acpi_rs_length total_size; ACPI_FUNCTION_TRACE(rs_get_aml_length); /* Traverse entire list of internal resource descriptors */ - while (resource) { + resource_end = + ACPI_ADD_PTR(struct acpi_resource, resource, resource_list_size); + while (resource < resource_end) { /* Validate the descriptor type */ -- cgit