]> git.kernelconcepts.de Git - karo-tx-linux.git/commit
projects / karo-tx-linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3e5a2e9) | patch
[PATCH] Open IPMI BT overflow
authorHeikki Orsila <shd@jolt.modeemi.cs.tut.fi>
Wed, 19 Apr 2006 17:01:01 +0000 (17:01 +0000)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 24 Apr 2006 16:56:04 +0000 (09:56 -0700)
commit3696ee36c993baee282a7be6245c7e7df5db1f83
treec097cdd4d9d441bd5ea10068935c9ef4f0b04cdatree | snapshot
parent3e5a2e956fff9e975e1b76c4de314cd077c6ec87commit | diff
[PATCH] Open IPMI BT overflow

I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/char/ipmi/ipmi_bt_sm.c diff | blob | history
Linux kernel for KaRo TX COM modules