[PATCH] mpparse: prevent table index out-of-bounds John Z. Bohach <jzb@aexorsyst.com> found this bug: If the board has more than 32 PCI busses on it, the mptable bus array will overwrite its bounds for the PCI busses, and stomp on anything that's after it. Prevent possible table overflow and unknown data corruption. Code is in an __init section so it will be discarded after init. Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: c0ec31ad334fb83e53f2130eacbb44a639f77967 [log] [tgz]
author: Randy Dunlap <rdunlap@xenotime.net> Mon Apr 10 22:53:13 2006 -0700
committer: Linus Torvalds <torvalds@g5.osdl.org> Tue Apr 11 06:18:34 2006 -0700
tree: 449070f25aa346dab179325d4eafc305bb6557b8
parent: e39632faa0efbddc3aed4f8658f2fa0a8afa2717 [diff] [blame]
diff --git a/arch/i386/kernel/mpparse.c b/arch/i386/kernel/mpparse.c
index 4f95c9c..34d21e2 100644
--- a/arch/i386/kernel/mpparse.c
+++ b/arch/i386/kernel/mpparse.c

@@ -229,6 +229,13 @@
 
 	mpc_oem_bus_info(m, str, translation_table[mpc_record]);
 
+	if (m->mpc_busid >= MAX_MP_BUSSES) {
+		printk(KERN_WARNING "MP table busid value (%d) for bustype %s "
+			" is too large, max. supported is %d\n",
+			m->mpc_busid, str, MAX_MP_BUSSES - 1);
+		return;
+	}
+
 	if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA)-1) == 0) {
 		mp_bus_id_to_type[m->mpc_busid] = MP_BUS_ISA;
 	} else if (strncmp(str, BUSTYPE_EISA, sizeof(BUSTYPE_EISA)-1) == 0) {
commit	c0ec31ad334fb83e53f2130eacbb44a639f77967	[log] [tgz]
author	Randy Dunlap <rdunlap@xenotime.net>	Mon Apr 10 22:53:13 2006 -0700
committer	Linus Torvalds <torvalds@g5.osdl.org>	Tue Apr 11 06:18:34 2006 -0700
tree	449070f25aa346dab179325d4eafc305bb6557b8
parent	e39632faa0efbddc3aed4f8658f2fa0a8afa2717 [diff] [blame]