Index: madt.c
===================================================================
RCS file: /host/cvs/usr/cvs/src/sys/i386/acpica/madt.c,v
retrieving revision 1.19.2.4
diff -u -r1.19.2.4 madt.c
--- madt.c	5 Oct 2007 15:22:36 -0000	1.19.2.4
+++ madt.c	18 Jan 2008 15:01:40 -0000
@@ -164,7 +164,20 @@
 	}
 	length = header->Length;
 	madt_unmap(header, sizeof(ACPI_TABLE_HEADER));
+	if (length > (MAXDUMPPGS - offset) * PAGE_SIZE) {
+		printf("MADT: %s is too long, truncating\n", sig);
+		length = (MAXDUMPPGS - offset) * PAGE_SIZE;
+	}
 	table = madt_map(pa, offset, length);
+	header = table;
+	if (header->Length != length) {
+		/*
+		 * If we truncated the table, fixup the length to
+		 * perpetuate the lie and skip the checksum.
+		 */
+		header->Length = length;
+		return (table);
+	}
 	if (ACPI_FAILURE(AcpiTbVerifyTableChecksum(table))) {
 		if (bootverbose)
 			printf("MADT: Failed checksum for table %s\n", sig);
@@ -267,6 +280,10 @@
 	if (bootverbose)
 		printf("MADT: Found table at 0x%jx\n",
 		    (uintmax_t)madt_physaddr);
+	if (madt_length > MAXDUMPPGS * PAGE_SIZE) {
+		printf("MADT: Table is too large, ignoring\n");
+		return (ENXIO);
+	}
 
 	/*
 	 * Verify that we can map the full table and that its checksum is