From: Armin - Allocate buffer of correct size. - Fix possible buffer overflow. - Use correct debug level for double registered application. --- drivers/isdn/hardware/eicon/capifunc.c | 4 ++-- drivers/isdn/hardware/eicon/divamnt.c | 10 +++++----- drivers/isdn/hardware/eicon/mntfunc.c | 15 +++++++++------ drivers/isdn/hardware/eicon/platform.h | 4 +++- drivers/isdn/hardware/eicon/um_idi.c | 4 ++-- drivers/isdn/hardware/eicon/xdi_adapter.h | 4 ++-- 6 files changed, 23 insertions(+), 18 deletions(-) diff -puN drivers/isdn/hardware/eicon/capifunc.c~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/capifunc.c --- 25/drivers/isdn/hardware/eicon/capifunc.c~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/capifunc.c 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: capifunc.c,v 1.47 2003/09/09 06:52:29 schindler Exp $ +/* $Id: capifunc.c,v 1.48 2004/01/11 19:20:54 armin Exp $ * * ISDN interface module for Eicon active cards DIVA. * CAPI Interface common functions @@ -776,7 +776,7 @@ static void diva_register_appl(struct ca } if (application[appl - 1].Id == appl) { - DBG_ERR(("CAPI_REGISTER - appl already registered")) + DBG_LOG(("CAPI_REGISTER - appl already registered")) return; /* appl already registered */ } diff -puN drivers/isdn/hardware/eicon/divamnt.c~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/divamnt.c --- 25/drivers/isdn/hardware/eicon/divamnt.c~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/divamnt.c 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: divamnt.c,v 1.28 2003/09/18 06:57:18 schindler Exp $ +/* $Id: divamnt.c,v 1.32 2004/01/15 09:48:13 armin Exp $ * * Driver for Eicon DIVA Server ISDN cards. * Maint module @@ -26,7 +26,7 @@ #include "divasync.h" #include "debug_if.h" -static char *main_revision = "$Revision: 1.28 $"; +static char *main_revision = "$Revision: 1.32 $"; static int major; @@ -53,7 +53,7 @@ static struct timeval start_time; extern int mntfunc_init(int *, void **, unsigned long); extern void mntfunc_finit(void); -extern int maint_read_write(void *buf); +extern int maint_read_write(void *buf, int count); /* * helper functions @@ -363,13 +363,13 @@ static void remove_maint_proc(void) static ssize_t divas_maint_write(struct file *file, const char *buf, size_t count, loff_t * ppos) { - return (maint_read_write((char *) buf)); + return (maint_read_write((char *) buf, (int) count)); } static ssize_t divas_maint_read(struct file *file, char *buf, size_t count, loff_t * ppos) { - return (maint_read_write(buf)); + return (maint_read_write(buf, (int) count)); } static struct file_operations divas_maint_fops = { diff -puN drivers/isdn/hardware/eicon/mntfunc.c~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/mntfunc.c --- 25/drivers/isdn/hardware/eicon/mntfunc.c~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/mntfunc.c 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: mntfunc.c,v 1.16 2003/09/18 06:57:17 schindler Exp $ +/* $Id: mntfunc.c,v 1.19 2004/01/09 21:22:03 armin Exp $ * * Driver for Eicon DIVA Server ISDN cards. * Maint module @@ -148,12 +148,15 @@ static void DIVA_EXIT_FUNCTION disconnec /* * read/write maint */ -int maint_read_write(void *buf) +int maint_read_write(void *buf, int count) { byte data[128]; dword cmd, id, mask; int ret = 0; + if (count < (3 * sizeof(dword))) + return (-EFAULT); + if (diva_os_copy_from_user(NULL, (void *) &data[0], buf, 3 * sizeof(dword))) { return (-EFAULT); @@ -166,7 +169,7 @@ int maint_read_write(void *buf) switch (cmd) { case DITRACE_CMD_GET_DRIVER_INFO: if ((ret = diva_get_driver_info(id, data, sizeof(data))) > 0) { - if (diva_os_copy_to_user + if ((count < ret) || diva_os_copy_to_user (NULL, buf, (void *) &data[0], ret)) ret = -EFAULT; } else { @@ -176,7 +179,7 @@ int maint_read_write(void *buf) case DITRACE_READ_DRIVER_DBG_MASK: if ((ret = diva_get_driver_dbg_mask(id, (byte *) data)) > 0) { - if (diva_os_copy_to_user + if ((count < ret) || diva_os_copy_to_user (NULL, buf, (void *) &data[0], ret)) ret = -EFAULT; } else { @@ -209,7 +212,7 @@ int maint_read_write(void *buf) ret = size; memcpy(pbuf, pmsg, size); diva_maint_ack_message(1, &old_irql); - if (diva_os_copy_to_user (NULL, buf, + if ((count < size) || diva_os_copy_to_user (NULL, buf, (void *) pbuf, size)) ret = -EFAULT; diva_os_free_tbuffer(0, pbuf); @@ -265,7 +268,7 @@ int maint_read_write(void *buf) pbuf[written++] = 0; pbuf[written++] = 0; - if (diva_os_copy_to_user(NULL, buf, (void *) pbuf, written)) { + if ((count < written) || diva_os_copy_to_user(NULL, buf, (void *) pbuf, written)) { ret = -EFAULT; } else { ret = written; diff -puN drivers/isdn/hardware/eicon/platform.h~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/platform.h --- 25/drivers/isdn/hardware/eicon/platform.h~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/platform.h 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: platform.h,v 1.32 2003/09/18 06:59:59 schindler Exp $ +/* $Id: platform.h,v 1.35 2003/12/05 18:45:05 armin Exp $ * * platform.h * @@ -117,6 +117,8 @@ #define MEM_TYPE_CONFIG 7 #define MEM_TYPE_CONTROL 8 +#define MAX_MEM_TYPE 10 + #define DIVA_OS_MEM_ATTACH_RAM(a) ((a)->ram) #define DIVA_OS_MEM_ATTACH_PORT(a) ((a)->port) #define DIVA_OS_MEM_ATTACH_PROM(a) ((a)->prom) diff -puN drivers/isdn/hardware/eicon/um_idi.c~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/um_idi.c --- 25/drivers/isdn/hardware/eicon/um_idi.c~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/um_idi.c 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: um_idi.c,v 1.9 2003/09/09 06:00:47 schindler Exp $ */ +/* $Id: um_idi.c,v 1.12 2004/01/12 18:00:09 armin Exp $ */ #include "platform.h" #include "di_defs.h" @@ -252,7 +252,7 @@ void *divas_um_idi_create_entity(dword a diva_os_free(0, e); return (0); } - if ((diva_data_q_init(&e->rc, 64, 2))) { + if ((diva_data_q_init(&e->rc, sizeof(diva_um_idi_ind_hdr_t), 2))) { diva_data_q_finit(&e->data); diva_os_free(0, e->os_context); diva_os_free(0, e); diff -puN drivers/isdn/hardware/eicon/xdi_adapter.h~eicon-buffer-allocation-fixes drivers/isdn/hardware/eicon/xdi_adapter.h --- 25/drivers/isdn/hardware/eicon/xdi_adapter.h~eicon-buffer-allocation-fixes 2004-01-15 08:16:29.000000000 -0800 +++ 25-akpm/drivers/isdn/hardware/eicon/xdi_adapter.h 2004-01-15 08:16:29.000000000 -0800 @@ -1,4 +1,4 @@ -/* $Id: xdi_adapter.h,v 1.5 2003/06/21 17:06:08 schindler Exp $ */ +/* $Id: xdi_adapter.h,v 1.6 2003/12/05 18:45:05 armin Exp $ */ #ifndef __DIVA_OS_XDI_ADAPTER_H__ #define __DIVA_OS_XDI_ADAPTER_H__ @@ -14,7 +14,7 @@ typedef struct _divas_pci_card_resources dword bar[8]; /* contains context of appropriate BAR Register */ void *addr[8]; /* same bar, but mapped into memory */ dword length[8]; /* bar length */ - int mem_type_id[10]; + int mem_type_id[MAX_MEM_TYPE]; unsigned int qoffset; byte irq; } divas_pci_card_resources_t; _