drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow

When calling memcpy, read_data and write_data need additional 2 bytes. write_data: for checking: "if (size > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" read_data: for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" Signed-off-by: N Chen Gang <gang.chen@asianux.com> Signed-off-by: N Corey Minyard <cminyard@mvista.com> Cc: stable@vger.kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow
When calling memcpy, read_data and write_data need additional 2 bytes. write_data: for checking: "if (size > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" read_data: for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" Signed-off-by: N Chen Gang <gang.chen@asianux.com> Signed-off-by: N Corey Minyard <cminyard@mvista.com> Cc: stable@vger.kernel.org Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
a5f2b3d6 · Chen Gang · Linus Torvalds · 1b6b698f · a5f2b3d6
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

drivers/char/ipmi/ipmi_bt_sm.c drivers/char/ipmi/ipmi_bt_sm.c +2 -2

未找到文件。
--- a/drivers/char/ipmi/ipmi_bt_sm.c
+++ b/drivers/char/ipmi/ipmi_bt_sm.c
@@ -95,9 +95,9 @@ struct si_sm_data {
 	enum bt_states	state;
 	unsigned char	seq;		/* BT sequence number */
 	struct si_sm_io	*io;
-	unsigned char	write_data[IPMI_MAX_MSG_LENGTH];
+	unsigned char	write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
 	int		write_count;
-	unsigned char	read_data[IPMI_MAX_MSG_LENGTH];
+	unsigned char	read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
 	int		read_count;
 	int		truncated;
 	long		timeout;	/* microseconds countdown */