Skip to content

Commit

Permalink
[S390] cio: fix potential overflow in chpid descriptor
Browse files Browse the repository at this point in the history 
The length filed in the chsc response block (if valid)
has a value of n*(sizeof(chp_desc))+8 (for the response
block header). When we memcopied from the response block
to the actual descriptor we copied 8 bytes too much.
The bug was not revealed since the descriptor is embedded
in struct channel_path.
Since we only write one descriptor at a time ignore the
length value and use sizeof(*desc).

Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
  • Loading branch information
Sebastian Ott authored and Martin Schwidefsky committed Jul 19, 2010
1 parent 0abccf7 commit 878c495
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/s390/cio/chsc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -713,7 +713,7 @@ int chsc_determine_base_channel_path_desc(struct chp_id chpid,
ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp);
if (ret)
goto out_free;
memcpy(desc, &chsc_resp->data, chsc_resp->length);
memcpy(desc, &chsc_resp->data, sizeof(*desc));
out_free:
kfree(chsc_resp);
return ret;
Expand Down

0 comments on commit 878c495

Please sign in to comment.