[PATCH 1/1] Open IPMI BT overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I was looking into random driver code and found a suspicious looking 
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the 
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch 
attached to limit size to (IPMI_MAX_LENGTH - 2). I'm unfamiliar with the 
driver and interface so it's very possible I'm wrong.

-- 
Heikki Orsila			Barbie's law:
[email protected]		"Math is hard, let's go shopping!"
http://www.iki.fi/shd
diff -urp linux-2.6.17-rc1-org/drivers/char/ipmi/ipmi_bt_sm.c linux-2.6.17-rc1/drivers/char/ipmi/ipmi_bt_sm.c
--- linux-2.6.17-rc1-org/drivers/char/ipmi/ipmi_bt_sm.c	2006-04-03 06:22:10.000000000 +0300
+++ linux-2.6.17-rc1/drivers/char/ipmi/ipmi_bt_sm.c	2006-04-15 02:05:29.000000000 +0300
@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s
 {
 	unsigned int i;
 
-	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+	if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
 	       return -1;
 
 	if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux