firewire: check cdev response length

[pandora-kernel.git] / drivers / firewire / core-cdev.c

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index 9d1a1a1..50332b8 100644 (file)
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -756,9 +756,12 @@ static int ioctl_send_response(struct client *client, union ioctl_arg *arg)
        if (is_fcp_request(r->request))
                goto out;
 
-       if (a->length < r->length)
-               r->length = a->length;
-       if (copy_from_user(r->data, u64_to_uptr(a->data), r->length)) {
+       if (a->length != fw_get_response_length(r->request)) {
+               ret = -EINVAL;
+               kfree(r->request);
+               goto out;
+       }
+       if (copy_from_user(r->data, u64_to_uptr(a->data), a->length)) {
                ret = -EFAULT;
                kfree(r->request);
                goto out;