GIT: unionfs-odf: usb-storage: don't access beyond the end of the sg buffer

Sun, 18 May 2008 04:46:30 -0700 

commit 90fbe8b1fa081a99616ccd7760f5877fcafa35ef
Author: Alan Stern <[EMAIL PROTECTED]>
Date:   Fri Feb 22 17:03:25 2008 -0500

    usb-storage: don't access beyond the end of the sg buffer
    
    This patch (as1038) fixes a bug in usb_stor_access_xfer_buf() and
    usb_stor_set_xfer_buf() (the bug was originally found by Boaz
    Harrosh): The routine must not attempt to write beyond the end of a
    scatter-gather list or beyond the number of bytes requested.
    
    This is the minimal 2.6.24 equivalent to as1035 +
    as1037 (7084191d53b224b953c8e1db525ea6c31aca5fc7 "USB:
    usb-storage: don't access beyond the end of the sg buffer" +
    6d512a80c26d87f8599057c86dc920fbfe0aa3aa "usb-storage: update earlier
    scatter-gather bug fix").  Mark Glines has confirmed that it fixes
    his problem.
    
    Signed-off-by: Alan Stern <[EMAIL PROTECTED]>
    Cc: Mark Glines <[EMAIL PROTECTED]>
    Cc: Boaz Harrosh <[EMAIL PROTECTED]>
    Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
    Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>

diff --git a/drivers/usb/storage/protocol.c b/drivers/usb/storage/protocol.c
index 889622b..45262f3 100644
--- a/drivers/usb/storage/protocol.c
+++ b/drivers/usb/storage/protocol.c
@@ -194,7 +194,7 @@ unsigned int usb_stor_access_xfer_buf(unsigned char *buffer,
                 * and the starting offset within the page, and update
                 * the *offset and *index values for the next loop. */
                cnt = 0;
-               while (cnt < buflen) {
+               while (cnt < buflen && sg) {
                        struct page *page = sg_page(sg) +
                                        ((sg->offset + *offset) >> PAGE_SHIFT);
                        unsigned int poff =
@@ -249,7 +249,8 @@ void usb_stor_set_xfer_buf(unsigned char *buffer,
        unsigned int offset = 0;
        struct scatterlist *sg = NULL;
 
-       usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
+       buflen = min(buflen, srb->request_bufflen);
+       buflen = usb_stor_access_xfer_buf(buffer, buflen, srb, &sg, &offset,
                        TO_XFER_BUF);
        if (buflen < srb->request_bufflen)
                srb->resid = srb->request_bufflen - buflen;
_______________________________________________
unionfs-cvs mailing list: http://unionfs.filesystems.org/
[email protected]
http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs-cvs

Reply via email to