On Tue, Oct 05, 2021 at 04:16:11PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> There is an off-by-one bounds check on the rcvlen causing a potential
> out of bounds write on iidev->rcvmsg. Fix this by using the >= operator
> on the bounds check rather than the > operator.
Got it, thanks.
-corey
>
> Addresses-Coverity: ("Out-of-bounds write")
> Fixes: 0ba0c3c5d1c1 ("ipmi:ipmb: Add initial support for IPMI over IPMB")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/char/ipmi/ipmi_ipmb.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/char/ipmi/ipmi_ipmb.c b/drivers/char/ipmi/ipmi_ipmb.c
> index b10a1fd9c563..77ebec4ed28e 100644
> --- a/drivers/char/ipmi/ipmi_ipmb.c
> +++ b/drivers/char/ipmi/ipmi_ipmb.c
> @@ -192,7 +192,7 @@ static int ipmi_ipmb_slave_cb(struct i2c_client *client,
> break;
>
> case I2C_SLAVE_WRITE_RECEIVED:
> - if (iidev->rcvlen > sizeof(iidev->rcvmsg))
> + if (iidev->rcvlen >= sizeof(iidev->rcvmsg))
> iidev->overrun = true;
> else
> iidev->rcvmsg[iidev->rcvlen++] = *val;
> --
> 2.32.0
>
>
>
> _______________________________________________
> Openipmi-developer mailing list
> Openipmi-developer@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openipmi-developer
