From 3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7 Mon Sep 17 00:00:00 2001 From: Heikki Orsila Date: Tue, 18 Apr 2006 22:21:55 -0700 Subject: [PATCH] Open IPMI BT overflow I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/ipmi/ipmi_bt_sm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/char/ipmi/ipmi_bt_sm.c') diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c index 58dcdee1cd71..0030cd8e2e95 100644 --- a/drivers/char/ipmi/ipmi_bt_sm.c +++ b/drivers/char/ipmi/ipmi_bt_sm.c @@ -165,7 +165,7 @@ static int bt_start_transaction(struct si_sm_data *bt, { unsigned int i; - if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) + if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2))) return -1; if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED)) -- cgit v1.2.3