[PATCH 1/1] Open IPMI BT overflow
- From: shd@xxxxxxxxxxxxxxxxxxxxxx (Heikki Orsila)
- Date: Sat, 15 Apr 2006 02:15:41 +0300
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);
where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
attached to limit size to (IPMI_MAX_LENGTH - 2). I'm unfamiliar with the
driver and interface so it's very possible I'm wrong.
--
Heikki Orsila Barbie's law:
heikki.orsila@xxxxxx "Math is hard, let's go shopping!"
http://www.iki.fi/shd
diff -urp linux-2.6.17-rc1-org/drivers/char/ipmi/ipmi_bt_sm.c linux-2.6.17-rc1/drivers/char/ipmi/ipmi_bt_sm.c
--- linux-2.6.17-rc1-org/drivers/char/ipmi/ipmi_bt_sm.c 2006-04-03 06:22:10.000000000 +0300
+++ linux-2.6.17-rc1/drivers/char/ipmi/ipmi_bt_sm.c 2006-04-15 02:05:29.000000000 +0300
@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s
{
unsigned int i;
- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
return -1;
if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))
- Prev by Date: Problems (lockup/hang) with PCI-X slot on X5DPL motherboard
- Next by Date: RE: [patch 1/3] acpi: dock driver
- Previous by thread: Problems (lockup/hang) with PCI-X slot on X5DPL motherboard
- Next by thread: [PATCH] x86 cpuid and msr notifier callback section mismatches
- Index(es):
