diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2016-12-14 13:24:52 +0100 |
---|---|---|
committer | Sasha Levin <alexander.levin@verizon.com> | 2016-12-23 08:56:35 -0500 |
commit | 8165fc3eb28cbd2e4cca07308f3a205ab347a9d1 (patch) | |
tree | 23d005669552582f951ea6280d87dae49cc06bf5 | |
parent | 1171afc4a34e2926e6e8e27c896cf328c8825ac3 (diff) |
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
[ Upstream commit 7bc2b55a5c030685b399bb65b6baa9ccc3d1f167 ]
We need to put an upper bound on "user_len" so the memcpy() doesn't
overflow.
References: CVE-2016-7425
Cc: <stable@vger.kernel.org>
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Philipp Hahn <hahn@univention.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
-rw-r--r-- | drivers/scsi/arcmsr/arcmsr_hba.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/scsi/arcmsr/arcmsr_hba.c b/drivers/scsi/arcmsr/arcmsr_hba.c index 2926295a936d..c9f87cdc85c1 100644 --- a/drivers/scsi/arcmsr/arcmsr_hba.c +++ b/drivers/scsi/arcmsr/arcmsr_hba.c @@ -2300,7 +2300,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, } case ARCMSR_MESSAGE_WRITE_WQBUFFER: { unsigned char *ver_addr; - int32_t user_len, cnt2end; + uint32_t user_len; + int32_t cnt2end; uint8_t *pQbuffer, *ptmpuserbuffer; ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC); if (!ver_addr) { @@ -2309,6 +2310,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb, } ptmpuserbuffer = ver_addr; user_len = pcmdmessagefld->cmdmessage.Length; + if (user_len > ARCMSR_API_DATA_BUFLEN) { + retvalue = ARCMSR_MESSAGE_FAIL; + kfree(ver_addr); + goto message_out; + } memcpy(ptmpuserbuffer, pcmdmessagefld->messagedatabuffer, user_len); spin_lock_irqsave(&acb->wqbuffer_lock, flags); |