Date: Tue, 21 Sep 2010 18:25:34 +0000 (UTC) From: Weongyo Jeong <weongyo@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r212973 - user/weongyo/usb/sys/dev/usb Message-ID: <201009211825.o8LIPYwV002641@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: weongyo Date: Tue Sep 21 18:25:33 2010 New Revision: 212973 URL: http://svn.freebsd.org/changeset/base/212973 Log: Checks the requested size whether it's over INT_MAX or not. If it's over explicitly make a panic. Most of cases the size would be less than 128 Kbytes (even if it's a worst case it'll be smaller than 1 Mbytes) because the buffer is for DMA operations. So if it's larger than 2G it means the driver writer did something wrong. Pointed by: imp Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c Modified: user/weongyo/usb/sys/dev/usb/usb_busdma.c ============================================================================== --- user/weongyo/usb/sys/dev/usb/usb_busdma.c Tue Sep 21 17:52:32 2010 (r212972) +++ user/weongyo/usb/sys/dev/usb/usb_busdma.c Tue Sep 21 18:25:33 2010 (r212973) @@ -34,6 +34,7 @@ #include <sys/bus.h> #include <sys/linker_set.h> #include <sys/module.h> +#include <sys/limits.h> #include <sys/lock.h> #include <sys/mutex.h> #include <sys/condvar.h> @@ -475,6 +476,12 @@ usb_pc_alloc_mem(struct usb_page_cache * uptag = pc->tag_parent; + /* + * Checks the requested size first before allocating DMA-able buffer + * that if the size is over 2G the alignment value could be overflowed. + */ + if (size >= INT_MAX) + panic("too big size (%d) for DMA-able buffer", size); if (align == 0) goto error; if (align != 1) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009211825.o8LIPYwV002641>