summaryrefslogtreecommitdiffstats
path: root/drivers/char/ipmi/ipmi_smic_sm.c
diff options
context:
space:
mode:
authorHeikki Orsila <shd@jolt.modeemi.cs.tut.fi>2006-04-18 22:21:55 -0700
committerLinus Torvalds <torvalds@g5.osdl.org>2006-04-19 09:13:52 -0700
commit3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7 (patch)
tree8b1306cc288c0d700ff23a88b26c8d7656fc8d6c /drivers/char/ipmi/ipmi_smic_sm.c
parentaa1e816fc92215f94bdfd90107baae8fdc2440d1 (diff)
downloadblackbird-op-linux-3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7.tar.gz
blackbird-op-linux-3fb0cb5d0f8b915a75677e8e8e4a4a4e481f03f7.zip
[PATCH] Open IPMI BT overflow
I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/char/ipmi/ipmi_smic_sm.c')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud