Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a5f2b3d6 authored by Chen Gang's avatar Chen Gang Committed by Linus Torvalds
Browse files

drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow 



When calling memcpy, read_data and write_data need additional 2 bytes.

  write_data:
    for checking:  "if (size > IPMI_MAX_MSG_LENGTH)"
    for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)"

  read_data:
    for checking:  "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)"
    for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)"

Signed-off-by: default avatarChen Gang <gang.chen@asianux.com>
Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 1b6b698f

drivers/char/ipmi/ipmi_bt_sm.c

+2 −2
Original line number Diff line number Diff line
@@ -95,9 +95,9 @@ struct si_sm_data { 
	enum bt_states	state;

	unsigned char	seq;		/* BT sequence number */

	struct si_sm_io	*io;

	unsigned char	write_data[IPMI_MAX_MSG_LENGTH];

	unsigned char	write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */

	int		write_count;

	unsigned char	read_data[IPMI_MAX_MSG_LENGTH];

	unsigned char	read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */

	int		read_count;

	int		truncated;

	long		timeout;	/* microseconds countdown */