ACPICA: Added additional parameter validation for LoadTable
authorLin Ming <ming.m.lin@intel.com>
Thu, 10 Apr 2008 15:06:40 +0000 (19:06 +0400)
committerLen Brown <len.brown@intel.com>
Tue, 22 Apr 2008 18:29:26 +0000 (14:29 -0400)
Implemented additional parameter validation for the LoadTable
operator. The length of the input strings SignatureString,
OemIdString, and OemTableId are now checked for maximum
lengths.

http://www.acpica.org/bugzilla/show_bug.cgi?id=582

Signed-off-by: Lin Ming <ming.m.lin@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
drivers/acpi/executer/exconfig.c

index b9543a7f5d21cd117e149d57982cdf39e7710d3a..3370aad3ee14cbbfb3ce84d9bd5e9ddb4d6838cb 100644 (file)
@@ -138,6 +138,14 @@ acpi_ex_load_table_op(struct acpi_walk_state *walk_state,
 
        ACPI_FUNCTION_TRACE(ex_load_table_op);
 
+       /* Validate lengths for the signature_string, OEMIDString, OEMtable_iD */
+
+       if ((operand[0]->string.length > ACPI_NAME_SIZE) ||
+           (operand[1]->string.length > ACPI_OEM_ID_SIZE) ||
+           (operand[2]->string.length > ACPI_OEM_TABLE_ID_SIZE)) {
+               return_ACPI_STATUS(AE_BAD_PARAMETER);
+       }
+
        /* Find the ACPI table in the RSDT/XSDT */
 
        status = acpi_tb_find_table(operand[0]->string.pointer,