s390/sclp: always stay within bounds of the early sccb

Make sure the _sclp_print_lm function stays within bounds of the early sccb, even if the passed string is very long. If the string is too long, the remaining characters will be dropped. Suggested-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> Reviewed-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
mariux64 · Jan 16, 2017 · f031974 · f031974
1 parent 742dc57
commit f031974
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/arch/s390/kernel/sclp.c b/arch/s390/kernel/sclp.c
@@ -132,16 +132,21 @@ static void _sclp_print_lm(const char *str)
 		0x10, 0x00,					/* 4 */
 		0x00, 0x00, 0x00, 0x00				/* 6 */
 	};
-	unsigned char *ptr, ch;
+	unsigned char *ptr, *end_ptr, ch;
 	unsigned int count;
 
 	memcpy(_sclp_work_area, write_head, sizeof(write_head));
 	ptr = _sclp_work_area + sizeof(write_head);
+	end_ptr = _sclp_work_area + sizeof(_sclp_work_area) - 1;
 	do {
+		if (ptr + sizeof(write_mto) > end_ptr)
+			break;
 		memcpy(ptr, write_mto, sizeof(write_mto));
 		for (count = sizeof(write_mto); (ch = *str++) != 0; count++) {
 			if (ch == 0x0a)
 				break;
+			if (ptr > end_ptr)
+				break;
 			ptr[count] = _ascebc[ch];
 		}
 		/* Update length fields in mto, mdb, evbuf and sccb */