[S390] cio: fix potential overflow in chpid descriptor
authorSebastian Ott <sebott@linux.vnet.ibm.com>
Mon, 19 Jul 2010 07:22:37 +0000 (09:22 +0200)
committerMartin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>
Mon, 19 Jul 2010 07:22:50 +0000 (09:22 +0200)
commit878c495644be28cc881e7ee792f00fd879a1ebf9
tree61f9ea2be8e821424d2643c8a26b720fd2a5a3bf
parent0abccf77402af44855da739b439d01cfb65b4bfd
[S390] cio: fix potential overflow in chpid descriptor

The length filed in the chsc response block (if valid)
has a value of n*(sizeof(chp_desc))+8 (for the response
block header). When we memcopied from the response block
to the actual descriptor we copied 8 bytes too much.
The bug was not revealed since the descriptor is embedded
in struct channel_path.
Since we only write one descriptor at a time ignore the
length value and use sizeof(*desc).

Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
drivers/s390/cio/chsc.c