[PATCH] rapidio: potential overflow in riocm_ch_send()

From: Dan Carpenter
Date: Tue Jun 01 2021 - 05:15:39 EST

Next message: Tvrtko Ursulin: "Re: [Intel-gfx] [PATCH -next] drm/i915: use DEVICE_ATTR_RO macro"
Previous message: Viresh Kumar: "Re: [PATCH v2 3/3] PM / EM: Skip inefficient OPPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "buf" variable has "len" bytes, and the size is controlled by the
user in cm_chan_msg_send(). If the length is fewer than sizeof(*hdr)
then it could lead to memory corruption.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Strictly speaking the last two bytes of length are reserved and not
written to but it's simpler and better to check "< sizeof(*hdr)" instead
of "< sizeof(*hdr) - 2". This is better for future proofing.

drivers/rapidio/rio_cm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index db4c265287ae..5c332b9867e1 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -784,7 +784,8 @@ static int riocm_ch_send(u16 ch_id, void *buf, int len)
struct rio_ch_chan_hdr *hdr;
int ret;

- if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE)
+ if (buf == NULL || ch_id == 0 ||
+ len < sizeof(*hdr) || len > RIO_MAX_MSG_SIZE)
return -EINVAL;

ch = riocm_get_channel(ch_id);
--
2.30.2

Next message: Tvrtko Ursulin: "Re: [Intel-gfx] [PATCH -next] drm/i915: use DEVICE_ATTR_RO macro"
Previous message: Viresh Kumar: "Re: [PATCH v2 3/3] PM / EM: Skip inefficient OPPs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]