2006-10-19 00:53:36

by Doug Warzecha

[permalink] [raw]
Subject: [PATCH] firmware/dcdbas: add size check in smi_data_write


This patch adds a size check in smi_data_write to prevent possible wrapping problems with large pos values when calling smi_data_buf_realloc on 32-bit.

Signed-off-by: Doug Warzecha <[email protected]>

---

--- linux-2.6.19-rc2/drivers/firmware/dcdbas.c.orig 2006-10-18 18:52:43.000000000 -0500
+++ linux-2.6.19-rc2/drivers/firmware/dcdbas.c 2006-10-18 18:55:08.000000000 -0500
@@ -8,7 +8,7 @@
*
* See Documentation/dcdbas.txt for more information.
*
- * Copyright (C) 1995-2005 Dell Inc.
+ * Copyright (C) 1995-2006 Dell Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License v2.0 as published by
@@ -40,7 +40,7 @@
#include "dcdbas.h"

#define DRIVER_NAME "dcdbas"
-#define DRIVER_VERSION "5.6.0-2"
+#define DRIVER_VERSION "5.6.0-3.2"
#define DRIVER_DESCRIPTION "Dell Systems Management Base Driver"

static struct platform_device *dcdbas_pdev;
@@ -175,6 +175,9 @@ static ssize_t smi_data_write(struct kob
{
ssize_t ret;

+ if ((pos + count) > MAX_SMI_DATA_BUF_SIZE)
+ return -EINVAL;
+
mutex_lock(&smi_data_lock);

ret = smi_data_buf_realloc(pos + count);


2006-10-19 03:46:12

by Randy Dunlap

[permalink] [raw]
Subject: Re: [PATCH] firmware/dcdbas: add size check in smi_data_write

On Wed, 18 Oct 2006 19:54:42 -0500 Doug Warzecha wrote:

>
> This patch adds a size check in smi_data_write to prevent possible wrapping problems with large pos values when calling smi_data_buf_realloc on 32-bit.

I think that 'man 2 write' suggests EFBIG instead of EINVAL?


> ---
>
> --- linux-2.6.19-rc2/drivers/firmware/dcdbas.c.orig 2006-10-18 18:52:43.000000000 -0500
> +++ linux-2.6.19-rc2/drivers/firmware/dcdbas.c 2006-10-18 18:55:08.000000000 -0500
> @@ -8,7 +8,7 @@
> *
> * See Documentation/dcdbas.txt for more information.
> *
> - * Copyright (C) 1995-2005 Dell Inc.
> + * Copyright (C) 1995-2006 Dell Inc.
> *
> * This program is free software; you can redistribute it and/or modify
> * it under the terms of the GNU General Public License v2.0 as published by
> @@ -40,7 +40,7 @@
> #include "dcdbas.h"
>
> #define DRIVER_NAME "dcdbas"
> -#define DRIVER_VERSION "5.6.0-2"
> +#define DRIVER_VERSION "5.6.0-3.2"
> #define DRIVER_DESCRIPTION "Dell Systems Management Base Driver"
>
> static struct platform_device *dcdbas_pdev;
> @@ -175,6 +175,9 @@ static ssize_t smi_data_write(struct kob
> {
> ssize_t ret;
>
> + if ((pos + count) > MAX_SMI_DATA_BUF_SIZE)
> + return -EINVAL;
> +
> mutex_lock(&smi_data_lock);
>
> ret = smi_data_buf_realloc(pos + count);
> -


---
~Randy