[S390] cio: fix potential overflow in chpid descriptor

The length filed in the chsc response block (if valid) has a value of n*(sizeof(chp_desc))+8 (for the response block header). When we memcopied from the response block to the actual descriptor we copied 8 bytes too much. The bug was not revealed since the descriptor is embedded in struct channel_path. Since we only write one descriptor at a time ignore the length value and use sizeof(*desc). Signed-off-by: N Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: N Martin Schwidefsky <schwidefsky@de.ibm.com>

[S390] cio: fix potential overflow in chpid descriptor
The length filed in the chsc response block (if valid) has a value of n*(sizeof(chp_desc))+8 (for the response block header). When we memcopied from the response block to the actual descriptor we copied 8 bytes too much. The bug was not revealed since the descriptor is embedded in struct channel_path. Since we only write one descriptor at a time ignore the length value and use sizeof(*desc). Signed-off-by: N Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: N Martin Schwidefsky <schwidefsky@de.ibm.com>
878c4956 · Sebastian Ott · Martin Schwidefsky · 0abccf77 · 878c4956
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/s390/cio/chsc.c drivers/s390/cio/chsc.c +1 -1

未找到文件。
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -713,7 +713,7 @@ int chsc_determine_base_channel_path_desc(struct chp_id chpid,
 	ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp);
 	if (ret)
 		goto out_free;
-	memcpy(desc, &chsc_resp->data, chsc_resp->length);
+	memcpy(desc, &chsc_resp->data, sizeof(*desc));
 out_free:
 	kfree(chsc_resp);
 	return ret;