[ofa-general] [PATCH 2/4] IB/ipath -- limit length checksummed in eeprom

[Arthur Jones]

From: Michael Albaugh <Michael.Albaugh at Qlogic.com>

The small eeprom that holds, e.g. GUID contains a data-length, but if the
actual eeprom is new or has been erased, that byte will be 0xFF, which is
greater than the maximum physical length of the eeprom, and more importantly
greater than the length of the buffer we vmalloc'd. Sanity-check the length
to avoid the possbility of reading past end of buffer.

Signed-off-by: Michael Albaugh <Michael.Albaugh at Qlogic.com>
---

 drivers/infiniband/hw/ipath/ipath_eeprom.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

diff --git a/drivers/infiniband/hw/ipath/ipath_eeprom.c b/drivers/infiniband/hw/ipath/ipath_eeprom.c
index bcfa3cc..e7c25db 100644
--- a/drivers/infiniband/hw/ipath/ipath_eeprom.c
+++ b/drivers/infiniband/hw/ipath/ipath_eeprom.c
@@ -538,7 +538,15 @@ static u8 flash_csum(struct ipath_flash *ifp, int adjust)
 	u8 *ip = (u8 *) ifp;
 	u8 csum = 0, len;
 
-	for (len = 0; len < ifp->if_length; len++)
+	/*
+	 * Limit length checksummed to max length of actual data.
+	 * Checksum of erased eeprom will still be bad, but we avoid
+	 * reading past the end of the buffer we were passed.
+	 */
+	len = ifp->if_length;
+	if (len > sizeof(struct ipath_flash))
+		len = sizeof(struct ipath_flash);
+	while (len--)
 		csum += *ip++;
 	csum -= ifp->if_csum;
 	csum = ~csum;