From b4208432c602fcd374bc1fb0d64f57d877c515a8 Mon Sep 17 00:00:00 2001 From: Fenghua Yu Date: Tue, 25 Sep 2012 11:11:43 -0700 Subject: [PATCH] --- yaml --- r: 331726 b: refs/heads/master c: 369d913b242cae2205471b11b6e33ac368ed33ec h: refs/heads/master v: v3 --- [refs] | 2 +- trunk/drivers/acpi/tables.c | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/[refs] b/[refs] index d6d38a774e04..5d9a0cea0a37 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: fc54ab72959edbf229b65ac74b2f122d799ca002 +refs/heads/master: 369d913b242cae2205471b11b6e33ac368ed33ec diff --git a/trunk/drivers/acpi/tables.c b/trunk/drivers/acpi/tables.c index f336bca7c450..2572d9715bda 100644 --- a/trunk/drivers/acpi/tables.c +++ b/trunk/drivers/acpi/tables.c @@ -240,10 +240,17 @@ acpi_table_parse_entries(char *id, table_end) { if (entry->type == entry_id && (!max_entries || count++ < max_entries)) - if (handler(entry, table_end)) { - early_acpi_os_unmap_memory((char *)table_header, tbl_size); - return -EINVAL; - } + if (handler(entry, table_end)) + goto err; + + /* + * If entry->length is 0, break from this loop to avoid + * infinite loop. + */ + if (entry->length == 0) { + pr_err(PREFIX "[%4.4s:0x%02x] Invalid zero length\n", id, entry_id); + goto err; + } entry = (struct acpi_subtable_header *) ((unsigned long)entry + entry->length); @@ -255,6 +262,9 @@ acpi_table_parse_entries(char *id, early_acpi_os_unmap_memory((char *)table_header, tbl_size); return count; +err: + early_acpi_os_unmap_memory((char *)table_header, tbl_size); + return -EINVAL; } int __init