commit 9c101fd439dab60d6eba76afb35fd2696f42c63d · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[PATCH] coverity: ipmi_msghandler() channels array overrun fix

We fix the check in 1084, which was

1084 if (addr->channel > IPMI_NUM_CHANNELS) {
1085 spin_lock_irqsave(&intf->counter_lock, flags);
1086 intf->sent_invalid_commands++;
1087 spin_unlock_irqrestore(&intf->counter_lock, flags);
1088 rv = -EINVAL;
1089 goto out_err;
1090 }

addr->channel is used in

1092 if (intf->channels[addr->channel].medium

Definitions involved:

221 struct ipmi_channel channels[IPMI_MAX_CHANNELS];

134 #define IPMI_MAX_CHANNELS 8

In /linux-2.6.12-rc6/include/linux/ipmi.h
148 #define IPMI_NUM_CHANNELS 0x10

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

authored by KAMBAROV, ZAUR and committed by Linus Torvalds 20 years ago 9c101fd4 a77e3362

+2 -2

1 changed file

expand all

unified split

drivers

char

ipmi

ipmi_msghandler.c

+2 -2

drivers/char/ipmi/ipmi_msghandler.c

··· 1088 long seqid; 1089 int broadcast = 0; 1090 1091 - if (addr->channel > IPMI_NUM_CHANNELS) { 1092 - spin_lock_irqsave(&intf->counter_lock, flags); 1093 intf->sent_invalid_commands++; 1094 spin_unlock_irqrestore(&intf->counter_lock, flags); 1095 rv = -EINVAL;

··· 1088 long seqid; 1089 int broadcast = 0; 1090 1091 + if (addr->channel >= IPMI_MAX_CHANNELS) { 1092 + spin_lock_irqsave(&intf->counter_lock, flags); 1093 intf->sent_invalid_commands++; 1094 spin_unlock_irqrestore(&intf->counter_lock, flags); 1095 rv = -EINVAL;