averello/linux-stable-mirror
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2026-03-03 18:28:01 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
b775565952ab8f33a49bfcb2c6dcfaba1e82dee3
linux-stable-mirror/drivers/char/ipmi
History
Heikki Orsila 3fb0cb5d0f [PATCH] Open IPMI BT overflow 
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-04-19 09:13:52 -07:00
..
ipmi_bt_sm.c
[PATCH] Open IPMI BT overflow
2006-04-19 09:13:52 -07:00
ipmi_devintf.c
[PATCH] IPMI: convert from semaphores to mutexes
2006-03-31 12:18:54 -08:00
ipmi_kcs_sm.c
[PATCH] IPMI: tidy up various things
2006-03-31 12:18:54 -08:00
ipmi_msghandler.c
[PATCH] ipmi: fix event queue limit
2006-04-11 06:18:45 -07:00
ipmi_poweroff.c
[PATCH] IPMI: tidy up various things
2006-03-31 12:18:54 -08:00
ipmi_si_intf.c
[PATCH] IPMI: fix devinit placement
2006-04-19 09:13:52 -07:00
ipmi_si_sm.h
[PATCH] ipmi: add generic PCI handling
2006-03-26 08:56:56 -08:00
ipmi_smic_sm.c
[PATCH] ipmi: more dell fixes
2005-11-07 07:53:44 -08:00
ipmi_watchdog.c
[PATCH] IPMI: convert from semaphores to mutexes
2006-03-31 12:18:54 -08:00
Kconfig
Linux-2.6.12-rc2
2005-04-16 15:20:36 -07:00
Makefile
Linux-2.6.12-rc2
2005-04-16 15:20:36 -07:00