aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/char/ipmi
diff options
context:
space:
mode:
authorKAMBAROV, ZAUR <kambarov@berkeley.edu>2005-06-28 23:45:08 -0400
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-06-29 00:20:33 -0400
commit9c101fd439dab60d6eba76afb35fd2696f42c63d (patch)
treef83da5a06a1af9be7539066536aa0b9bd4a4c69b /drivers/char/ipmi
parenta77e3362a224212d9d3b9e6fdec44df2eef6cf92 (diff)
[PATCH] coverity: ipmi_msghandler() channels array overrun fix
We fix the check in 1084, which was 1084 if (addr->channel > IPMI_NUM_CHANNELS) { 1085 spin_lock_irqsave(&intf->counter_lock, flags); 1086 intf->sent_invalid_commands++; 1087 spin_unlock_irqrestore(&intf->counter_lock, flags); 1088 rv = -EINVAL; 1089 goto out_err; 1090 } addr->channel is used in 1092 if (intf->channels[addr->channel].medium Definitions involved: 221 struct ipmi_channel channels[IPMI_MAX_CHANNELS]; 134 #define IPMI_MAX_CHANNELS 8 In /linux-2.6.12-rc6/include/linux/ipmi.h 148 #define IPMI_NUM_CHANNELS 0x10 Signed-off-by: Zaur Kambarov <zkambarov@coverity.com> Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'drivers/char/ipmi')
-rw-r--r--drivers/char/ipmi/ipmi_msghandler.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 1813d0d198f1..e16c13fe698d 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -1088,8 +1088,8 @@ static inline int i_ipmi_request(ipmi_user_t user,
1088 long seqid; 1088 long seqid;
1089 int broadcast = 0; 1089 int broadcast = 0;
1090 1090
1091 if (addr->channel > IPMI_NUM_CHANNELS) { 1091 if (addr->channel >= IPMI_MAX_CHANNELS) {
1092 spin_lock_irqsave(&intf->counter_lock, flags); 1092 spin_lock_irqsave(&intf->counter_lock, flags);
1093 intf->sent_invalid_commands++; 1093 intf->sent_invalid_commands++;
1094 spin_unlock_irqrestore(&intf->counter_lock, flags); 1094 spin_unlock_irqrestore(&intf->counter_lock, flags);
1095 rv = -EINVAL; 1095 rv = -EINVAL;