Commit 3fb0cb5d authored by Heikki Orsila's avatar Heikki Orsila Committed by Linus Torvalds

[PATCH] Open IPMI BT overflow

I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent aa1e816f
...@@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt, ...@@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt,
{ {
unsigned int i; unsigned int i;
if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
return -1; return -1;
if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment