From 5bada980be1c49a666d453238e11d00454322bd0 Mon Sep 17 00:00:00 2001 From: Matthew Dharm Date: Sun, 4 Dec 2005 21:59:45 -0800 Subject: [PATCH] --- yaml --- r: 15491 b: refs/heads/master c: a6c976c6c4628ce0c9277c47e7545956d9d4f441 h: refs/heads/master i: 15489: 04c9b918435b1ee94a0fe377fb6f9e575cf807c6 15487: 30c37efe9a49266212301b8e8d6b0c4ec6a228bf v: v3 --- [refs] | 2 +- trunk/drivers/usb/storage/sddr09.c | 33 +++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/[refs] b/[refs] index 8dc2040bc3e4..8a58dc406a55 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 0dc08a357538de3d93305fbf99348663abdbf2cd +refs/heads/master: a6c976c6c4628ce0c9277c47e7545956d9d4f441 diff --git a/trunk/drivers/usb/storage/sddr09.c b/trunk/drivers/usb/storage/sddr09.c index 760fe9362b6d..b8e7802c871d 100644 --- a/trunk/drivers/usb/storage/sddr09.c +++ b/trunk/drivers/usb/storage/sddr09.c @@ -711,6 +711,13 @@ sddr09_read_data(struct us_data *us, unsigned int len, index, offset; int result; + // Figure out the initial LBA and page + lba = address >> info->blockshift; + page = (address & info->blockmask); + maxlba = info->capacity >> (info->pageshift + info->blockshift); + if (lba >= maxlba) + return -EIO; + // Since we only read in one block at a time, we have to create // a bounce buffer and move the data a piece at a time between the // bounce buffer and the actual transfer buffer. @@ -722,11 +729,6 @@ sddr09_read_data(struct us_data *us, return -ENOMEM; } - // Figure out the initial LBA and page - lba = address >> info->blockshift; - page = (address & info->blockmask); - maxlba = info->capacity >> (info->pageshift + info->blockshift); - // This could be made much more efficient by checking for // contiguous LBA's. Another exercise left to the student. @@ -928,13 +930,20 @@ sddr09_write_data(struct us_data *us, unsigned int sectors) { struct sddr09_card_info *info = (struct sddr09_card_info *) us->extra; - unsigned int lba, page, pages; + unsigned int lba, maxlba, page, pages; unsigned int pagelen, blocklen; unsigned char *blockbuffer; unsigned char *buffer; unsigned int len, index, offset; int result; + // Figure out the initial LBA and page + lba = address >> info->blockshift; + page = (address & info->blockmask); + maxlba = info->capacity >> (info->pageshift + info->blockshift); + if (lba >= maxlba) + return -EIO; + // blockbuffer is used for reading in the old data, overwriting // with the new data, and performing ECC calculations @@ -961,10 +970,6 @@ sddr09_write_data(struct us_data *us, return -ENOMEM; } - // Figure out the initial LBA and page - lba = address >> info->blockshift; - page = (address & info->blockmask); - result = 0; index = offset = 0; @@ -975,6 +980,14 @@ sddr09_write_data(struct us_data *us, pages = min(sectors, info->blocksize - page); len = (pages << info->pageshift); + /* Not overflowing capacity? */ + if (lba >= maxlba) { + US_DEBUGP("Error: Requested lba %u exceeds " + "maximum %u\n", lba, maxlba); + result = -EIO; + break; + } + // Get the data from the transfer buffer usb_stor_access_xfer_buf(buffer, len, us->srb, &index, &offset, FROM_XFER_BUF);