diff options
author | Heikki Orsila <shd@jolt.modeemi.cs.tut.fi> | 2006-04-18 22:21:55 -0700 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-04-19 09:13:52 -0700 |
commit | 3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7 (patch) | |
tree | 8b1306cc288c0d700ff23a88b26c8d7656fc8d6c | |
parent | aa1e816fc92215f94bdfd90107baae8fdc2440d1 (diff) | |
download | op-kernel-dev-3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7.zip op-kernel-dev-3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7.tar.gz |
[PATCH] Open IPMI BT overflow
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);
where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | drivers/char/ipmi/ipmi_bt_sm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c index 58dcdee..0030cd8 100644 --- a/drivers/char/ipmi/ipmi_bt_sm.c +++ b/drivers/char/ipmi/ipmi_bt_sm.c @@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt, { unsigned int i; - if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) + if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) return -1; if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) |