atm: [he] limit queries to the device's register space

author Robert T. Johnson <rtjohnso@eecs.berkeley.edu>

Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)

committer David S. Miller <davem@davemloft.net>

Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)
author Robert T. Johnson <rtjohnso@eecs.berkeley.edu>
Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)
committer David S. Miller <davem@davemloft.net>
Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)
diff --git a/drivers/atm/he.c b/drivers/atm/he.c

index 320320e..fc636a3 100644 (file)
--- a/drivers/atm/he.c
+++ b/drivers/atm/he.c
@@ -2845,10 +2845,15 @@ he_ioctl(struct atm_dev *atm_dev, unsigned int cmd, void __user *arg)
                         if (copy_from_user(&reg, arg,
                                            sizeof(struct he_ioctl_reg)))
                                 return -EFAULT;
-                       
+
                         spin_lock_irqsave(&he_dev->global_lock, flags);
                         switch (reg.type) {
                                 case HE_REGTYPE_PCI:
+                                       if (reg.addr < 0 || reg.addr >= HE_REGMAP_SIZE) {
+                                               err = -EINVAL;
+                                               break;
+                                       }
+
                                         reg.val = he_readl(he_dev, reg.addr);
                                         break;
                                 case HE_REGTYPE_RCM:
author	Robert T. Johnson <rtjohnso@eecs.berkeley.edu>
	Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)
committer	David S. Miller <davem@davemloft.net>
	Tue, 17 Jun 2008 00:20:52 +0000 (17:20 -0700)