From ef370ee74b7a9cb769d50bfb73b4023ee3e37719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kristian=20H=C3=B8gsberg?= <krh@redhat.com>
Date: Wed, 28 Mar 2007 20:46:23 +0200
Subject: firewire: Fix the range check for the queue_iso payload pointer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (renamed a variable)
---
 drivers/firewire/fw-device-cdev.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'drivers/firewire')

diff --git a/drivers/firewire/fw-device-cdev.c b/drivers/firewire/fw-device-cdev.c
index d02dbc5..fab6dfb 100644
--- a/drivers/firewire/fw-device-cdev.c
+++ b/drivers/firewire/fw-device-cdev.c
@@ -711,7 +711,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
 	struct fw_cdev_queue_iso request;
 	struct fw_cdev_iso_packet __user *p, *end, *next;
 	struct fw_iso_context *ctx = client->iso_context;
-	unsigned long payload, payload_end, header_length;
+	unsigned long payload, buffer_end, header_length;
 	int count;
 	struct {
 		struct fw_iso_packet packet;
@@ -732,11 +732,11 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
 	 * and the request.data pointer is ignored.*/
 
 	payload = (unsigned long)request.data - client->vm_start;
-	payload_end = payload + (client->buffer.page_count << PAGE_SHIFT);
+	buffer_end = client->buffer.page_count << PAGE_SHIFT;
 	if (request.data == 0 || client->buffer.pages == NULL ||
-	    payload >= payload_end) {
+	    payload >= buffer_end) {
 		payload = 0;
-		payload_end = 0;
+		buffer_end = 0;
 	}
 
 	if (!access_ok(VERIFY_READ, request.packets, request.size))
@@ -773,7 +773,7 @@ static int ioctl_queue_iso(struct client *client, void __user *arg)
 		if (u.packet.skip && ctx->type == FW_ISO_CONTEXT_TRANSMIT &&
 		    u.packet.header_length + u.packet.payload_length > 0)
 			return -EINVAL;
-		if (payload + u.packet.payload_length > payload_end)
+		if (payload + u.packet.payload_length > buffer_end)
 			return -EINVAL;
 
 		if (fw_iso_context_queue(ctx, &u.packet,
-- 
cgit v1.1