sparc: fix array overrun check in of_device_64.c
Robert Reif [Fri, 26 Dec 2008 23:39:11 +0000 (15:39 -0800)]
Do the array length check and fixup before copying the array.

Signed-off-by: Robert Reif <reif@earthlink.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

arch/sparc/kernel/of_device_64.c

index 0f616ae..46e231f 100644 (file)
@@ -811,20 +811,20 @@ static struct of_device * __init scan_one_device(struct device_node *dp,
 
        irq = of_get_property(dp, "interrupts", &len);
        if (irq) {
-               memcpy(op->irqs, irq, len);
                op->num_irqs = len / 4;
+
+               /* Prevent overrunning the op->irqs[] array.  */
+               if (op->num_irqs > PROMINTR_MAX) {
+                       printk(KERN_WARNING "%s: Too many irqs (%d), "
+                              "limiting to %d.\n",
+                              dp->full_name, op->num_irqs, PROMINTR_MAX);
+                       op->num_irqs = PROMINTR_MAX;
+               }
+               memcpy(op->irqs, irq, op->num_irqs * 4);
        } else {
                op->num_irqs = 0;
        }
 
-       /* Prevent overrunning the op->irqs[] array.  */
-       if (op->num_irqs > PROMINTR_MAX) {
-               printk(KERN_WARNING "%s: Too many irqs (%d), "
-                      "limiting to %d.\n",
-                      dp->full_name, op->num_irqs, PROMINTR_MAX);
-               op->num_irqs = PROMINTR_MAX;
-       }
-
        build_device_resources(op, parent);
        for (i = 0; i < op->num_irqs; i++)
                op->irqs[i] = build_one_device_irq(op, parent, op->irqs[i]);