[PATCH] Open IPMI BT overflow · tjh.dev/kernel@3fb0cb5

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] Open IPMI BT overflow

I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by

Heikki Orsila and committed by

Linus Torvalds 20 years ago 3fb0cb5d aa1e816f

+1 -1

1 changed file

expand all

drivers

char

ipmi

ipmi_bt_sm.c

+1 -1

drivers/char/ipmi/ipmi_bt_sm.c

··· 165 165 { 166 166 unsigned int i; 167 167 168 - if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) 168 + if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) 169 169 return -1; 170 170 171 171 if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))