RE: [PATCH v3 01/18] scsi: ufs: Fix memory corruption by ufshcd_read_desc_param()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Bart,

>If param_offset > buff_len then the memcpy() statement in
>ufshcd_read_desc_param() corrupts memory since it copies
>256 + buff_len - param_offset bytes into a buffer with size buff_len.
>Since param_offset < 256 this results in writing past the bound of the
>output buffer.

Reviewed-by: Daejun Park <daejun7.park@xxxxxxxxxxx>

Thanks,
Daejun
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux