The patch titled
Open IPMI BT overflow
has been added to the -mm tree. Its filename is
open-ipmi-bt-overflow.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
From: shd@xxxxxxxxxxxxxxxxxxxxxx (Heikki Orsila)
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
return -1;
...
memcpy(bt->write_data + 3, data + 1, size - 1);
where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH. It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH. A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).
Cc: Corey Minyard <minyard@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/char/ipmi/ipmi_bt_sm.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
diff -puN drivers/char/ipmi/ipmi_bt_sm.c~open-ipmi-bt-overflow drivers/char/ipmi/ipmi_bt_sm.c
--- devel/drivers/char/ipmi/ipmi_bt_sm.c~open-ipmi-bt-overflow 2006-04-14 22:14:14.000000000 -0700
+++ devel-akpm/drivers/char/ipmi/ipmi_bt_sm.c 2006-04-14 22:14:14.000000000 -0700
@@ -165,7 +165,7 @@ static int bt_start_transaction(struct s
{
unsigned int i;
- if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
+ if ((size < 2) || (size > (IPMI_MAX_MSG_LENGTH - 2)))
return -1;
if ((bt->state != BT_STATE_IDLE) && (bt->state != BT_STATE_HOSED))
_
Patches currently in -mm which might be from minyard@xxxxxxx are
origin.patch
open-ipmi-bt-overflow.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
