| From abdfeffd7b7a54193298992d30926424b1def562 Mon Sep 17 00:00:00 2001 |
| From: Chen Gang <gang.chen@asianux.com> |
| Date: Thu, 16 May 2013 14:04:25 -0500 |
| Subject: [PATCH] drivers/char/ipmi: memcpy, need additional 2 bytes to avoid |
| memory overflow |
| |
| commit a5f2b3d6a738e7d4180012fe7b541172f8c8dcea upstream. |
| |
| When calling memcpy, read_data and write_data need additional 2 bytes. |
| |
| write_data: |
| for checking: "if (size > IPMI_MAX_MSG_LENGTH)" |
| for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" |
| |
| read_data: |
| for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" |
| for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" |
| |
| Signed-off-by: Chen Gang <gang.chen@asianux.com> |
| Signed-off-by: Corey Minyard <cminyard@mvista.com> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| drivers/char/ipmi/ipmi_bt_sm.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| diff --git a/drivers/char/ipmi/ipmi_bt_sm.c b/drivers/char/ipmi/ipmi_bt_sm.c |
| index 7b98c067190a..a65a574eac6b 100644 |
| --- a/drivers/char/ipmi/ipmi_bt_sm.c |
| +++ b/drivers/char/ipmi/ipmi_bt_sm.c |
| @@ -95,9 +95,9 @@ struct si_sm_data { |
| enum bt_states state; |
| unsigned char seq; /* BT sequence number */ |
| struct si_sm_io *io; |
| - unsigned char write_data[IPMI_MAX_MSG_LENGTH]; |
| + unsigned char write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ |
| int write_count; |
| - unsigned char read_data[IPMI_MAX_MSG_LENGTH]; |
| + unsigned char read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ |
| int read_count; |
| int truncated; |
| long timeout; /* microseconds countdown */ |
| -- |
| 1.8.5.2 |
| |