Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7
commit3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7[log] [tgz]
authorHeikki Orsila <shd@jolt.modeemi.cs.tut.fi>Tue Apr 18 22:21:55 2006 -0700
committerLinus Torvalds <torvalds@g5.osdl.org>Wed Apr 19 09:13:52 2006 -0700
tree8b1306cc288c0d700ff23a88b26c8d7656fc8d6c
parentaa1e816fc92215f94bdfd90107baae8fdc2440d1 [diff]
[PATCH] Open IPMI BT overflow

I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
1 file changed
tree: 8b1306cc288c0d700ff23a88b26c8d7656fc8d6c
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. fs/
  7. include/
  8. init/
  9. ipc/
  10. kernel/
  11. lib/
  12. mm/
  13. net/
  14. scripts/
  15. security/
  16. sound/
  17. usr/
  18. .gitignore
  19. COPYING
  20. CREDITS
  21. Kbuild
  22. MAINTAINERS
  23. Makefile
  24. README
  25. REPORTING-BUGS