Skip to content

Commit 7bc2b55

Browse files
Dan Carpentermartinkpetersen
Dan Carpenter
authored andcommitted
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
We need to put an upper bound on "user_len" so the memcpy() doesn't overflow. Cc: <stable@vger.kernel.org> Reported-by: Marco Grassi <marco.gra@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Tomas Henzl <thenzl@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
1 parent 38247fe commit 7bc2b55

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

Diff for: drivers/scsi/arcmsr/arcmsr_hba.c

+7-1
Original file line numberDiff line numberDiff line change
@@ -2388,7 +2388,8 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
23882388
}
23892389
case ARCMSR_MESSAGE_WRITE_WQBUFFER: {
23902390
unsigned char *ver_addr;
2391-
int32_t user_len, cnt2end;
2391+
uint32_t user_len;
2392+
int32_t cnt2end;
23922393
uint8_t *pQbuffer, *ptmpuserbuffer;
23932394
ver_addr = kmalloc(ARCMSR_API_DATA_BUFLEN, GFP_ATOMIC);
23942395
if (!ver_addr) {
@@ -2397,6 +2398,11 @@ static int arcmsr_iop_message_xfer(struct AdapterControlBlock *acb,
23972398
}
23982399
ptmpuserbuffer = ver_addr;
23992400
user_len = pcmdmessagefld->cmdmessage.Length;
2401+
if (user_len > ARCMSR_API_DATA_BUFLEN) {
2402+
retvalue = ARCMSR_MESSAGE_FAIL;
2403+
kfree(ver_addr);
2404+
goto message_out;
2405+
}
24002406
memcpy(ptmpuserbuffer,
24012407
pcmdmessagefld->messagedatabuffer, user_len);
24022408
spin_lock_irqsave(&acb->wqbuffer_lock, flags);

0 commit comments

Comments
 (0)