From: Alex Ng <alexng@xxxxxxxxxxxxxxxxxxxxxx> There's a bug which passes the output buffer size as MAX_IP_ADDR_SIZE, when converting the adapter_id field to UTF16. This is much larger than the actual size (MAX_ADAPTER_ID_SIZE). Fix this by passing the proper size. Fortunately, the translation is limited by the length of the input. This explains why we haven't seen output buffer overflow conditions. Signed-off-by: Alex Ng <alexng@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: K. Y. Srinivasan <kys@xxxxxxxxxxxxx> --- drivers/hv/hv_kvp.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c index 9a90b91..5eed1e7 100644 --- a/drivers/hv/hv_kvp.c +++ b/drivers/hv/hv_kvp.c @@ -304,7 +304,7 @@ static int process_ob_ipinfo(void *in_msg, void *out_msg, int op) strlen((char *)in->body.kvp_ip_val.adapter_id), UTF16_HOST_ENDIAN, (wchar_t *)out->kvp_ip_val.adapter_id, - MAX_IP_ADDR_SIZE); + MAX_ADAPTER_ID_SIZE); if (len < 0) return len; -- 1.7.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
