Commit 308ee8aa authored by David Binder's avatar David Binder Committed by Greg Kroah-Hartman

staging: unisys: visorbus: Check controlvm message payload size

Checks the controlvm message's payload size before copying it into a
parser_context struct's name region.
Signed-off-by: default avatarDavid Binder <david.binder@unisys.com>
Signed-off-by: default avatarDavid Kershner <david.kershner@unisys.com>
Reported-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0c773962
...@@ -399,6 +399,10 @@ parser_name_get(struct parser_context *ctx) ...@@ -399,6 +399,10 @@ parser_name_get(struct parser_context *ctx)
struct spar_controlvm_parameters_header *phdr = NULL; struct spar_controlvm_parameters_header *phdr = NULL;
phdr = (struct spar_controlvm_parameters_header *)(ctx->data); phdr = (struct spar_controlvm_parameters_header *)(ctx->data);
if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
return NULL;
ctx->curr = ctx->data + phdr->name_offset; ctx->curr = ctx->data + phdr->name_offset;
ctx->bytes_remaining = phdr->name_length; ctx->bytes_remaining = phdr->name_length;
return parser_string_get(ctx); return parser_string_get(ctx);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment