linux/drivers/char
Heikki Orsila 3fb0cb5d0f [PATCH] Open IPMI BT overflow
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-04-19 09:13:52 -07:00
..
agp [efficeon-agp] Add missing memory mask 2006-04-14 17:41:06 -07:00
drm drm: Fix further issues in drivers/char/drm/via_irq.c 2006-04-18 21:04:48 +10:00
ftape drivers/char/ftape/lowlevel/fdc-io.c: Correct a comment 2006-03-26 19:18:07 +02:00
ip2
ipmi [PATCH] Open IPMI BT overflow 2006-04-19 09:13:52 -07:00
mwave
pcmcia [PATCH] pcmcia: convert DEV_OK to pcmcia_dev_present 2006-03-31 17:26:57 +02:00
rio [PATCH] Yet more rio cleaning (2 of 2) 2006-03-24 07:33:29 -08:00
tpm [PATCH] tpm: sparc32 build fix 2006-03-25 08:22:55 -08:00
watchdog [WATCHDOG] at91_wdt.c - Atmel AT91RM9200 watchdog driver 2006-04-02 18:52:01 +02:00
.gitignore
amiserial.c [PATCH] kill _INLINE_ 2006-03-23 07:38:16 -08:00
applicom.c [PATCH] Wrong out of range check in drivers/char/applicom.c 2006-04-11 06:18:46 -07:00
applicom.h
cd1865.h
ChangeLog
consolemap.c
cp437.uni
cs5535_gpio.c
cyclades.c
decserial.c
defkeymap.c_shipped
defkeymap.map
digi.h
digi1.h
digiFep1.h
digiPCI.h
ds1286.c
ds1302.c
ds1620.c
dsp56k.c
dtlk.c [PATCH] Remove extraneous \n in doubletalk init printk. 2006-04-11 06:18:41 -07:00
ec3104_keyb.c
efirtc.c
epca.c BUG_ON() Conversion in drivers/char 2006-03-26 18:17:21 +02:00
epca.h
epcaconfig.h
esp.c [PATCH] Fix locking error in esp 2006-02-14 10:01:39 -08:00
generic_nvram.c [PATCH] powerpc: Kill _machine and hard-coded platform numbers 2006-03-28 23:15:54 +11:00
generic_serial.c [PATCH] sem2mutex: serial ->port_write_mutex 2006-03-23 07:38:14 -08:00
genrtc.c
hangcheck-timer.c
hpet.c [PATCH] HPET: handle multiple ACPI EXTENDED_IRQ resources 2006-02-14 16:09:34 -08:00
hvc_console.c [PATCH] powerpc: hvc_console updates 2006-03-28 16:45:26 +11:00
hvc_console.h [PATCH] powerpc: hvc_console updates 2006-03-28 16:45:26 +11:00
hvc_rtas.c [PATCH] powerpc: add hvc backend for rtas 2006-03-28 16:45:28 +11:00
hvc_vio.c [PATCH] powerpc: hvc_console updates 2006-03-28 16:45:26 +11:00
hvcs.c [PATCH] powerpc/pseries: Change H_StudlyCaps to H_SHOUTING_CAPS 2006-04-01 22:36:57 +11:00
hvsi.c
hw_random.c [PATCH] Add missing ifdef for VIA RNG code 2006-03-03 21:05:58 -05:00
i8k.c
ip27-rtc.c
isicom.c
istallion.c [PATCH] drivers/char/[i]stallion: Clean up kmalloc usage 2006-03-31 12:18:56 -08:00
ite_gpio.c
Kconfig [PATCH] RTC subsystem: VR41XX driver 2006-04-11 06:18:47 -07:00
keyboard.c Input: add support for Braille devices 2006-04-02 00:10:28 -05:00
lcd.c
lcd.h
lp.c
Makefile [PATCH] RTC subsystem: VR41XX driver 2006-04-11 06:18:47 -07:00
mbcs.c
mbcs.h
mem.c [PATCH] mark f_ops const in the inode 2006-03-28 09:16:05 -08:00
misc.c [PATCH] mark f_ops const in the inode 2006-03-28 09:16:05 -08:00
mmtimer.c [IA64] SGI SN drivers: don't report !sn2 hardware as an error 2006-03-07 15:27:59 -08:00
moxa.c
mxser.c [PATCH] Remove MODULE_PARM 2006-03-25 08:22:52 -08:00
mxser.h [PATCH] Typo fixes 2006-03-28 09:16:08 -08:00
n_hdlc.c
n_r3964.c
n_tty.c [PATCH] sem2mutex: tty 2006-03-23 07:38:11 -08:00
nvram.c
nwbutton.c
nwbutton.h
nwflash.c [PATCH] sem2mutex: drivers/char/ 2006-03-23 07:38:11 -08:00
ppdev.c [PATCH] parport: move PP_MAJOR from ppdev.h to major.h 2006-03-25 08:22:53 -08:00
pty.c
qtronix.c
qtronixmap.c_shipped
qtronixmap.map
random.c [IPV6]: Unexport secure_ipv6_port_ephemeral 2006-04-09 22:29:17 -07:00
raw.c [PATCH] sem2mutex: drivers: raw, connector, dcdbas, ppp_generic 2006-03-23 07:38:10 -08:00
riscom8.c [PATCH] Remove MODULE_PARM 2006-03-25 08:22:52 -08:00
riscom8.h
riscom8_reg.h
rocket.c
rocket.h
rocket_int.h
rtc.c
s3c2410-rtc.c [PATCH] handle errors returned by platform_get_irq*() 2006-03-20 13:42:57 -08:00
scan_keyb.c
scan_keyb.h
scc.h
scx200_gpio.c
selection.c
ser_a2232.c [PATCH] sem2mutex: serial ->port_write_mutex 2006-03-23 07:38:14 -08:00
ser_a2232.h
ser_a2232fw.ax
ser_a2232fw.h
serial167.c
snsc.c [PATCH] snsc kmalloc2kzalloc 2006-03-23 07:38:15 -08:00
snsc.h
snsc_event.c [PATCH] snsc kmalloc2kzalloc 2006-03-23 07:38:15 -08:00
sonypi.c
specialix.c
specialix_io8.h
stallion.c [PATCH] drivers/char/[i]stallion: Clean up kmalloc usage 2006-03-31 12:18:56 -08:00
sx.c [PATCH] sem2mutex: serial ->port_write_mutex 2006-03-23 07:38:14 -08:00
sx.h
sxboards.h
sxwindow.h
synclink.c [PATCH] Typo fixes 2006-03-28 09:16:08 -08:00
synclink_gt.c [PATCH] synclink_gt: remove uneeded async code 2006-03-28 09:16:02 -08:00
synclinkmp.c [PATCH] s/;;/;/g 2006-03-24 07:33:24 -08:00
sysrq.c [PATCH] sysrq cleanup 2006-03-25 08:22:52 -08:00
tb0219.c [PATCH] tb0219: convert to the new platform device interface 2006-03-22 07:53:56 -08:00
tipar.c [PATCH] tipar fixes 2006-02-11 21:41:13 -08:00
tlclk.c [PATCH] MPBL0010 driver sysfs permissions wide open 2006-04-11 06:18:43 -07:00
toshiba.c [PATCH] remove ISA legacy functions: drivers/char/toshiba.c 2006-03-24 07:33:19 -08:00
tty_io.c [PATCH] Fix file lookup without ref 2006-04-19 09:13:51 -07:00
tty_ioctl.c
vc_screen.c
viocons.c
viotape.c
vme_scc.c [PATCH] sem2mutex: serial ->port_write_mutex 2006-03-23 07:38:14 -08:00
vr41xx_giu.c [PATCH] vr41xx: convert to the new platform device interface 2006-03-22 07:53:56 -08:00
vt.c [PATCH] vt: add TIOCL_GETKMSGREDIRECT 2006-03-31 12:18:56 -08:00
vt_ioctl.c