| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YLX6p+NXg2w+UqRq@mwanda>
Date: Tue, 1 Jun 2021 12:15:19 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Matt Porter <mporter@...nel.crashing.org>
Cc: Alexandre Bounine <alex.bou9@...il.com>,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH] rapidio: potential overflow in riocm_ch_send()
The "buf" variable has "len" bytes, and the size is controlled by the
user in cm_chan_msg_send(). If the length is fewer than sizeof(*hdr)
then it could lead to memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
Strictly speaking the last two bytes of length are reserved and not
written to but it's simpler and better to check "< sizeof(*hdr)" instead
of "< sizeof(*hdr) - 2". This is better for future proofing.
drivers/rapidio/rio_cm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index db4c265287ae..5c332b9867e1 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -784,7 +784,8 @@ static int riocm_ch_send(u16 ch_id, void *buf, int len)
struct rio_ch_chan_hdr *hdr;
int ret;
- if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE)
+ if (buf == NULL || ch_id == 0 ||
+ len < sizeof(*hdr) || len > RIO_MAX_MSG_SIZE)
return -EINVAL;
ch = riocm_get_channel(ch_id);
--
2.30.2
Powered by blists - more mailing lists