From: Sebastian Ott Date: Mon, 19 Jul 2010 07:22:37 +0000 (+0200) Subject: [S390] cio: fix potential overflow in chpid descriptor X-Git-Tag: firefly_0821_release~9833^2~1403^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=878c495644be28cc881e7ee792f00fd879a1ebf9;p=firefly-linux-kernel-4.4.55.git [S390] cio: fix potential overflow in chpid descriptor The length filed in the chsc response block (if valid) has a value of n*(sizeof(chp_desc))+8 (for the response block header). When we memcopied from the response block to the actual descriptor we copied 8 bytes too much. The bug was not revealed since the descriptor is embedded in struct channel_path. Since we only write one descriptor at a time ignore the length value and use sizeof(*desc). Signed-off-by: Sebastian Ott Signed-off-by: Martin Schwidefsky --- diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c index ce7cb87479fe..407d0e9adfaf 100644 --- a/drivers/s390/cio/chsc.c +++ b/drivers/s390/cio/chsc.c @@ -713,7 +713,7 @@ int chsc_determine_base_channel_path_desc(struct chp_id chpid, ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp); if (ret) goto out_free; - memcpy(desc, &chsc_resp->data, chsc_resp->length); + memcpy(desc, &chsc_resp->data, sizeof(*desc)); out_free: kfree(chsc_resp); return ret;