• Dan Carpenter's avatar
    ipmi: ssif_bmc: prevent integer overflow on 32bit systems · 0627cef3
    Dan Carpenter authored
    There are actually two bugs here.  First, we need to ensure that count
    is at least sizeof(u32) or msg.len will be uninitialized data.
    
    The "msg.len" variable is a u32 that comes from the user.  On 32bit
    systems the "sizeof_field(struct ipmi_ssif_msg, len) + msg.len"
    addition can overflow if "msg.len" is greater than U32_MAX - 4.
    
    Valid lengths for "msg.len" are 1-254.  Add a check for that to
    prevent the integer overflow.
    
    Fixes: dd2bc5cc ("ipmi: ssif_bmc: Add SSIF BMC driver")
    Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
    Message-Id: <1431ca2e-4e9c-4520-bfc0-6879313c30e9@moroto.mountain>
    Signed-off-by: default avatarCorey Minyard <corey@minyard.net>
    0627cef3
ssif_bmc.c 24.2 KB