asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/drivers/char/ipmi
History
Heikki Orsila 3fb0cb5d0f [PATCH] Open IPMI BT overflow 
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-04-19 09:13:52 -07:00
..
ipmi_bt_sm.c [PATCH] Open IPMI BT overflow 2006-04-19 09:13:52 -07:00
ipmi_devintf.c [PATCH] IPMI: convert from semaphores to mutexes 2006-03-31 12:18:54 -08:00
ipmi_kcs_sm.c [PATCH] IPMI: tidy up various things 2006-03-31 12:18:54 -08:00
ipmi_msghandler.c [PATCH] ipmi: fix event queue limit 2006-04-11 06:18:45 -07:00
ipmi_poweroff.c [PATCH] IPMI: tidy up various things 2006-03-31 12:18:54 -08:00
ipmi_si_intf.c [PATCH] IPMI: fix devinit placement 2006-04-19 09:13:52 -07:00
ipmi_si_sm.h [PATCH] ipmi: add generic PCI handling 2006-03-26 08:56:56 -08:00
ipmi_smic_sm.c [PATCH] ipmi: more dell fixes 2005-11-07 07:53:44 -08:00
ipmi_watchdog.c [PATCH] IPMI: convert from semaphores to mutexes 2006-03-31 12:18:54 -08:00
Kconfig Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00