ACPICA: Prevent possible allocation overrun during object copy
authorLin Ming <ming.m.lin@intel.com>
Tue, 27 Apr 2010 03:46:25 +0000 (11:46 +0800)
committerLen Brown <len.brown@intel.com>
Thu, 6 May 2010 07:05:54 +0000 (03:05 -0400)
Original code did not handle the case where the object to be
copied was a namespace node.

Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
drivers/acpi/acpica/utcopy.c

index 97ec3621e71d1f35cdb8c0b8dfe7eb46df27a9bd..6fef83f04bcd01c8cad30b4481ab2ebc6e04ca08 100644 (file)
@@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc,
        u16 reference_count;
        union acpi_operand_object *next_object;
        acpi_status status;
+       acpi_size copy_size;
 
        /* Save fields from destination that we don't want to overwrite */
 
        reference_count = dest_desc->common.reference_count;
        next_object = dest_desc->common.next_object;
 
-       /* Copy the entire source object over the destination object */
+       /*
+        * Copy the entire source object over the destination object.
+        * Note: Source can be either an operand object or namespace node.
+        */
+       copy_size = sizeof(union acpi_operand_object);
+       if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) {
+               copy_size = sizeof(struct acpi_namespace_node);
+       }
 
-       ACPI_MEMCPY((char *)dest_desc, (char *)source_desc,
-                   sizeof(union acpi_operand_object));
+       ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc),
+                   ACPI_CAST_PTR(char, source_desc), copy_size);
 
        /* Restore the saved fields */