[PATCH] rapidio: potential overflow in riocm_ch_send()
From: Dan Carpenter
Date: Tue Jun 01 2021 - 05:15:39 EST
The "buf" variable has "len" bytes, and the size is controlled by the
user in cm_chan_msg_send(). If the length is fewer than sizeof(*hdr)
then it could lead to memory corruption.
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Strictly speaking the last two bytes of length are reserved and not
written to but it's simpler and better to check "< sizeof(*hdr)" instead
of "< sizeof(*hdr) - 2". This is better for future proofing.
drivers/rapidio/rio_cm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index db4c265287ae..5c332b9867e1 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -784,7 +784,8 @@ static int riocm_ch_send(u16 ch_id, void *buf, int len)
struct rio_ch_chan_hdr *hdr;
int ret;
- if (buf == NULL || ch_id == 0 || len == 0 || len > RIO_MAX_MSG_SIZE)
+ if (buf == NULL || ch_id == 0 ||
+ len < sizeof(*hdr) || len > RIO_MAX_MSG_SIZE)
return -EINVAL;
ch = riocm_get_channel(ch_id);
--
2.30.2