1. 20 4月, 2010 3 次提交
  2. 19 4月, 2010 9 次提交
  3. 18 4月, 2010 1 次提交
  4. 17 4月, 2010 2 次提交
  5. 16 4月, 2010 5 次提交
  6. 14 4月, 2010 11 次提交
  7. 13 4月, 2010 5 次提交
  8. 12 4月, 2010 2 次提交
  9. 10 4月, 2010 2 次提交
    • S
      firewire: cdev: fix information leak · 9cac00b8
      Stefan Richter 提交于
      A userspace client got to see uninitialized stack-allocated memory if it
      specified an _IOC_READ type of ioctl and an argument size larger than
      expected by firewire-core's ioctl handlers (but not larger than the
      core's union ioctl_arg).
      
      Fix this by clearing the requested buffer size to zero, but only at _IOR
      ioctls.  This way, there is almost no runtime penalty to legitimate
      ioctls.  The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
      or 16 bytes to memset.
      
      [Another way to fix this would be strict checking of argument size (and
      possibly direction) vs. command number.  However, we then need a lookup
      table, and we need to allow for slight size deviations in case of 32bit
      userland on 64bit kernel.]
      Reported-by: NClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
      9cac00b8
    • C
      firewire: cdev: require quadlet-aligned headers for transmit packets · 385ab5bc
      Clemens Ladisch 提交于
      The definition of struct fw_cdev_iso_packet seems to imply that the
      header_length must be quadlet-aligned, and in fact, specifying an
      unaligned header has never really worked when using multiple packet
      structures, because the position of the next control word is computed by
      rounding the header_length _down_, so the last one to three bytes of the
      header would overlap the next control word.
      
      To avoid this problem, check that the header length is properly aligned.
      Signed-off-by: NClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: NStefan Richter <stefanr@s5r6.in-berlin.de>
      385ab5bc