diff options
| author | Michael Shalayeff <mickey@cvs.openbsd.org> | 2002-01-02 18:34:12 +0000 |
|---|---|---|
| committer | Michael Shalayeff <mickey@cvs.openbsd.org> | 2002-01-02 18:34:12 +0000 |
| commit | e066206d4fb7472290ff9de3c545a3700a3890e6 (patch) | |
| tree | a8a0d252a1ade5741145a722c0fc264b8e04240e /sys/dev | |
| parent | c5ebcbf04ee0e8be66d0ef3ad2f8335e85c727fd (diff) | |
proper data length handling on read; from toby@svector.co.uk
Diffstat (limited to 'sys/dev')
| -rw-r--r-- | sys/dev/ic/an.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/sys/dev/ic/an.c b/sys/dev/ic/an.c index 764fd6627b6..97595de2504 100644 --- a/sys/dev/ic/an.c +++ b/sys/dev/ic/an.c @@ -1,4 +1,4 @@ -/* $OpenBSD: an.c,v 1.20 2001/09/29 21:54:00 mickey Exp $ */ +/* $OpenBSD: an.c,v 1.21 2002/01/02 18:34:11 mickey Exp $ */ /* * Copyright (c) 1997, 1998, 1999 @@ -609,6 +609,7 @@ an_read_record(sc, ltv) { u_int16_t *ptr, len; int i; + u_int16_t ltv_data_length; if (ltv->an_len < 4 || ltv->an_type == 0) return(EINVAL); @@ -628,23 +629,28 @@ an_read_record(sc, ltv) } /* - * Read the length and record type and make sure they - * match what we expect (this verifies that we have enough + * Read the length to make sure it + * matches what we expect (this verifies that we have enough * room to hold all of the returned data). */ len = CSR_READ_2(sc, AN_DATA1); - if (len > ltv->an_len) { + + /* + * Work out record's data length, which is struct length - type word + * as we have just read the length. + */ + ltv_data_length = ltv->an_len - sizeof(u_int16_t); + + if (len > ltv_data_length) { printf("%s: RID 0x%04x record length mismatch -- expected %d, " "got %d\n", sc->sc_dev.dv_xname, ltv->an_type, - ltv->an_len, len); + ltv_data_length, len); return(ENOSPC); } - ltv->an_len = len; - /* Now read the data. */ ptr = ltv->an_val; - for (i = 0; i < (ltv->an_len - 1) >> 1; i++) + for (i = 0; i < (len - 1) >> 1; i++) ptr[i] = CSR_READ_2(sc, AN_DATA1); #if BYTE_ORDER == BIG_ENDIAN |