3fb0cb5d0f
I was looking into random driver code and found a suspicious looking memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1: if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH)) return -1; ... memcpy(bt->write_data + 3, data + 1, size - 1); where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch attached to limit size to (IPMI_MAX_LENGTH - 2). Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> |
||
---|---|---|
.. | ||
acorn | ||
acpi | ||
amba | ||
atm | ||
base | ||
block | ||
bluetooth | ||
cdrom | ||
char | ||
connector | ||
cpufreq | ||
crypto | ||
dio | ||
edac | ||
eisa | ||
fc4 | ||
firmware | ||
hwmon | ||
i2c | ||
ide | ||
ieee1394 | ||
infiniband | ||
input | ||
isdn | ||
leds | ||
macintosh | ||
mca | ||
md | ||
media | ||
message | ||
mfd | ||
misc | ||
mmc | ||
mtd | ||
net | ||
nubus | ||
oprofile | ||
parisc | ||
parport | ||
pci | ||
pcmcia | ||
pnp | ||
rapidio | ||
rtc | ||
s390 | ||
sbus | ||
scsi | ||
serial | ||
sh | ||
sn | ||
spi | ||
tc | ||
telephony | ||
usb | ||
video | ||
w1 | ||
zorro | ||
Kconfig | ||
Makefile |