mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-19 02:04:19 +08:00
3fb0cb5d0f
I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> |
||
---|---|---|
.. | ||
ipmi_bt_sm.c | ||
ipmi_devintf.c | ||
ipmi_kcs_sm.c | ||
ipmi_msghandler.c | ||
ipmi_poweroff.c | ||
ipmi_si_intf.c | ||
ipmi_si_sm.h | ||
ipmi_smic_sm.c | ||
ipmi_watchdog.c | ||
Kconfig | ||
Makefile |