ACPICA: Resources: Fix loop termination for the get AML length function.

The loop terminates on a NULL resource pointer, which can never happen since the loop simply increments a valid resource pointer. This fix changes the loop to terminate on an end-of-buffer condition. Problem can be seen by callers to AcpiSetCurrentResources with an invalid or corrupted resource descriptor; or a resource descriptor without an END_TAG descriptor. (refined by Bob Moore) Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Lv Zheng <lv.zheng@intel.com> Signed-off-by: Bob Moore <robert.moore@intel.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2013-11-21 12:17:34 +08:00
commit 9a0a359725
--- a/drivers/acpi/acpica/acresrc.h
+++ b/drivers/acpi/acpica/acresrc.h
@@ -184,7 +184,7 @@ acpi_rs_create_resource_list(union acpi_operand_object *aml_buffer,
 			     struct acpi_buffer *output_buffer);

 acpi_status
-acpi_rs_create_aml_resources(struct acpi_resource *linked_list_buffer,
+acpi_rs_create_aml_resources(struct acpi_buffer *resource_list,
 			     struct acpi_buffer *output_buffer);

 acpi_status
@@ -227,8 +227,8 @@ acpi_rs_get_list_length(u8 * aml_buffer,
 			u32 aml_buffer_length, acpi_size * size_needed);

 acpi_status
-acpi_rs_get_aml_length(struct acpi_resource *linked_list_buffer,
-		       acpi_size * size_needed);
+acpi_rs_get_aml_length(struct acpi_resource *resource_list,
+		       acpi_size resource_list_size, acpi_size * size_needed);

 acpi_status
 acpi_rs_get_pci_routing_table_length(union acpi_operand_object *package_object,