[PATCH] Open IPMI BT overflow
authorHeikki Orsila <shd@jolt.modeemi.cs.tut.fi>
Wed, 19 Apr 2006 05:21:55 +0000 (22:21 -0700)
committerLinus Torvalds <torvalds@g5.osdl.org>
Wed, 19 Apr 2006 16:13:52 +0000 (09:13 -0700)
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
drivers/char/ipmi/ipmi_bt_sm.c

index 58dcdee1cd719ab3d165907fb76f53c6e55c5db6..0030cd8e2e956cb436ae781c854ba41df23058a9 100644 (file)
@@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt,
 {
        unsigned int i;
 
-       if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+       if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
               return -1;
 
        if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))