• Heikki Orsila's avatar
    [PATCH] Open IPMI BT overflow · 3fb0cb5d
    Heikki Orsila authored
    I was looking into random driver code and found a suspicious looking
    memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
    
    	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
    		return -1;
    	...
    	memcpy(bt->write_data + 3, data + 1, size - 1);
    
    where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
    memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
    attached to limit size to (IPMI_MAX_LENGTH - 2).
    
    Cc: Corey Minyard <minyard@acm.org>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    3fb0cb5d
ipmi_bt_sm.c 15.6 KB