Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/pcmcia Add simple boundary check on CIS parsing.
details: https://anonhg.NetBSD.org/src/rev/eb67def15dda
branches: trunk
changeset: 515424:eb67def15dda
user: itohy <itohy%NetBSD.org@localhost>
date: Mon Sep 24 14:19:10 2001 +0000
description:
Add simple boundary check on CIS parsing.
I have a weird PC-card-style appliance (I'm not sure I may call it a PC card)
whose ``CIS'' reads zeros forever, which caused kernel panic.
For your interest, it is a cooling fan to be inserted to a PC card slot.
diffstat:
sys/dev/pcmcia/pcmcia_cis.c | 16 +++++++++++++++-
1 files changed, 15 insertions(+), 1 deletions(-)
diffs (37 lines):
diff -r 07fc617ed900 -r eb67def15dda sys/dev/pcmcia/pcmcia_cis.c
--- a/sys/dev/pcmcia/pcmcia_cis.c Mon Sep 24 13:22:25 2001 +0000
+++ b/sys/dev/pcmcia/pcmcia_cis.c Mon Sep 24 14:19:10 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pcmcia_cis.c,v 1.24 2001/07/07 16:51:47 thorpej Exp $ */
+/* $NetBSD: pcmcia_cis.c,v 1.25 2001/09/24 14:19:10 itohy Exp $ */
/*
* Copyright (c) 1997 Marc Horowitz. All rights reserved.
@@ -154,6 +154,19 @@
while (1) {
while (1) {
+ /*
+ * Perform boundary check for insane cards.
+ * If CIS is too long, simulate CIS end.
+ * (This check may not be sufficient for
+ * malicious cards.)
+ */
+ if (tuple.mult * tuple.ptr >= PCMCIA_CIS_SIZE - 1
+ - 32 /* ad hoc value */ ) {
+ DPRINTF(("CISTPL_END (too long CIS)\n"));
+ tuple.code = PCMCIA_CISTPL_END;
+ goto cis_end;
+ }
+
/* get the tuple code */
DELAY(1000);
@@ -167,6 +180,7 @@
continue;
} else if (tuple.code == PCMCIA_CISTPL_END) {
DPRINTF(("CISTPL_END\n ff\n"));
+ cis_end:
/* Call the function for the END tuple, since
the CIS semantics depend on it */
if ((*fct) (&tuple, arg)) {
Home |
Main Index |
Thread Index |
Old Index