ACPICA: Prevent possible allocation overrun during object copy

Original code did not handle the case where the object to be copied was a namespace node. Signed-off-by: Lin Ming <ming.m.lin@intel.com> Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
mariux64 · May 6, 2010 · 17b8232 · 17b8232
1 parent 3fe5020
commit 17b8232
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
@@ -677,16 +677,24 @@ acpi_ut_copy_simple_object(union acpi_operand_object *source_desc,
 	u16 reference_count;
 	union acpi_operand_object *next_object;
 	acpi_status status;
+	acpi_size copy_size;
 
 	/* Save fields from destination that we don't want to overwrite */
 
 	reference_count = dest_desc->common.reference_count;
 	next_object = dest_desc->common.next_object;
 
-	/* Copy the entire source object over the destination object */
+	/*
+	 * Copy the entire source object over the destination object.
+	 * Note: Source can be either an operand object or namespace node.
+	 */
+	copy_size = sizeof(union acpi_operand_object);
+	if (ACPI_GET_DESCRIPTOR_TYPE(source_desc) == ACPI_DESC_TYPE_NAMED) {
+		copy_size = sizeof(struct acpi_namespace_node);
+	}
 
-	ACPI_MEMCPY((char *)dest_desc, (char *)source_desc,
-		    sizeof(union acpi_operand_object));
+	ACPI_MEMCPY(ACPI_CAST_PTR(char, dest_desc),
+		    ACPI_CAST_PTR(char, source_desc), copy_size);
 
 	/* Restore the saved fields */