From: Jens Axboe cdrom_has_defect_mgt() has the same ->data_len bug - the length field is not total length, but the length following that field. So it should be + 4, not + 8. However, just kill the length check. Comparison of feature_code provides enough check. Signed-off-by: Andrew Morton --- 25-akpm/drivers/cdrom/cdrom.c | 20 ++++++++------------ 1 files changed, 8 insertions(+), 12 deletions(-) diff -puN drivers/cdrom/cdrom.c~cdrom-hardware-defect-mgt-header-length drivers/cdrom/cdrom.c --- 25/drivers/cdrom/cdrom.c~cdrom-hardware-defect-mgt-header-length 2004-06-08 18:19:36.437275040 -0700 +++ 25-akpm/drivers/cdrom/cdrom.c 2004-06-08 18:19:40.283690296 -0700 @@ -671,28 +671,24 @@ int cdrom_has_defect_mgt(struct cdrom_de { struct packet_command cgc; char buffer[16]; - struct feature_header *fh; __u16 *feature_code; int ret; init_cdrom_command(&cgc, buffer, sizeof(buffer), CGC_DATA_READ); - cgc.cmd[0] = GPCMD_GET_CONFIGURATION; /* often 0x46 */ - cgc.cmd[3] = CDF_HWDM; /* often 0x0024 */ - cgc.cmd[8] = sizeof(buffer); /* often 0x10 */ + cgc.cmd[0] = GPCMD_GET_CONFIGURATION; + cgc.cmd[3] = CDF_HWDM; + cgc.cmd[8] = sizeof(buffer); cgc.quiet = 1; if ((ret = cdi->ops->generic_packet(cdi, &cgc))) return ret; - fh = (struct feature_header *)&buffer[0]; - ret = 1; - if (be32_to_cpu(fh->data_len) >= (sizeof(struct feature_header)+8)) { - feature_code = (__u16 *)&buffer[sizeof(struct feature_header)]; - if (CDF_HWDM == be16_to_cpu(*feature_code)) - ret = 0; - } - return ret; + feature_code = (__u16 *) &buffer[sizeof(struct feature_header)]; + if (be16_to_cpu(*feature_code) == CDF_HWDM) + return 0; + + return 1; } _