diff options
author | Sebastian Ott <sebott@linux.vnet.ibm.com> | 2010-07-19 03:22:37 -0400 |
---|---|---|
committer | Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> | 2010-07-19 03:22:50 -0400 |
commit | 878c495644be28cc881e7ee792f00fd879a1ebf9 (patch) | |
tree | 61f9ea2be8e821424d2643c8a26b720fd2a5a3bf /drivers/s390 | |
parent | 0abccf77402af44855da739b439d01cfb65b4bfd (diff) |
[S390] cio: fix potential overflow in chpid descriptor
The length filed in the chsc response block (if valid)
has a value of n*(sizeof(chp_desc))+8 (for the response
block header). When we memcopied from the response block
to the actual descriptor we copied 8 bytes too much.
The bug was not revealed since the descriptor is embedded
in struct channel_path.
Since we only write one descriptor at a time ignore the
length value and use sizeof(*desc).
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/cio/chsc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/s390/cio/chsc.c b/drivers/s390/cio/chsc.c index ce7cb87479f..407d0e9adfa 100644 --- a/drivers/s390/cio/chsc.c +++ b/drivers/s390/cio/chsc.c | |||
@@ -713,7 +713,7 @@ int chsc_determine_base_channel_path_desc(struct chp_id chpid, | |||
713 | ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp); | 713 | ret = chsc_determine_channel_path_desc(chpid, 0, 0, 0, 0, chsc_resp); |
714 | if (ret) | 714 | if (ret) |
715 | goto out_free; | 715 | goto out_free; |
716 | memcpy(desc, &chsc_resp->data, chsc_resp->length); | 716 | memcpy(desc, &chsc_resp->data, sizeof(*desc)); |
717 | out_free: | 717 | out_free: |
718 | kfree(chsc_resp); | 718 | kfree(chsc_resp); |
719 | return ret; | 719 | return ret; |