mirror of https://gitee.com/openkylin/linux.git
[S390] cio: fix potential overflow in chpid descriptor
The length filed in the chsc response block (if valid) has a value of n*(sizeof(chp_desc))+8 (for the response block header). When we memcopied from the response block to the actual descriptor we copied 8 bytes too much. The bug was not revealed since the descriptor is embedded in struct channel_path. Since we only write one descriptor at a time ignore the length value and use sizeof(*desc). Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This commit is contained in:
parent
0abccf7740
commit
878c495644
|
@ -713,7 +713,7 @@ int chsc_determine_base_channel_path_desc(struct chp_id chpid,
|
|||
ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp);
|
||||
if (ret)
|
||||
goto out_free;
|
||||
memcpy(desc, &chsc_resp->data, chsc_resp->length);
|
||||
memcpy(desc, &chsc_resp->data, sizeof(*desc));
|
||||
out_free:
|
||||
kfree(chsc_resp);
|
||||
return ret;
|
||||
|
|
Loading…
Reference in New Issue