From 172e6a57e967c46fdb2800d745bf34c3780ce333 Mon Sep 17 00:00:00 2001
From: Clemens Ladisch <clemens@ladisch.de>
Date: Wed, 7 Jul 2010 14:37:30 +0200
Subject: [PATCH] --- yaml --- r: 206837 b: refs/heads/master c:
 a8e93f3dccc066cd6dd1e9db1e35942914fc57d1 h: refs/heads/master i:   206835:
 bda9ca9128b07457ca7364ebe9a51fbb00261a35 v: v3

---
 [refs]                             | 2 +-
 trunk/drivers/firewire/core-cdev.c | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index aff69b373c95..271644036cb0 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 250b2b6dd421c9f8844a867d2ac06e0661e0ad93
+refs/heads/master: a8e93f3dccc066cd6dd1e9db1e35942914fc57d1
diff --git a/trunk/drivers/firewire/core-cdev.c b/trunk/drivers/firewire/core-cdev.c
index d8ac0ce2d6bf..f7559bfeaba3 100644
--- a/trunk/drivers/firewire/core-cdev.c
+++ b/trunk/drivers/firewire/core-cdev.c
@@ -563,6 +563,10 @@ static int init_request(struct client *client,
 	    (request->length > 4096 || request->length > 512 << speed))
 		return -EIO;
 
+	if (request->tcode == TCODE_WRITE_QUADLET_REQUEST &&
+	    request->length < 4)
+		return -EINVAL;
+
 	e = kmalloc(sizeof(*e) + request->length, GFP_KERNEL);
 	if (e == NULL)
 		return -ENOMEM;