Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751682AbcCAR3l (ORCPT ); Tue, 1 Mar 2016 12:29:41 -0500 Received: from mx1.redhat.com ([209.132.183.28]:60768 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750956AbcCAR3k (ORCPT ); Tue, 1 Mar 2016 12:29:40 -0500 Subject: Re: [PATCH] snic: correctly check for array overrun on overly long version number From: Ewan Milne Reply-To: emilne@redhat.com To: Colin King Cc: Narsimhulu Musini , Sesidhar Baddela , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <1456441105-19042-1-git-send-email-colin.king@canonical.com> References: <1456441105-19042-1-git-send-email-colin.king@canonical.com> Content-Type: text/plain; charset="UTF-8" Organization: Red Hat Date: Tue, 01 Mar 2016 12:29:38 -0500 Message-ID: <1456853378.16707.46.camel@localhost.localdomain> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1155 Lines: 35 On Thu, 2016-02-25 at 22:58 +0000, Colin King wrote: > From: Colin Ian King > > The snic version number is expected to be 4 decimals in the form like > a netmask string with each number stored in an element in array v. > However, there is an off-by-one check on the number of elements in v > allowing one to pass a 5 decimal version number causing v[4] to be > referenced, causing a buffer overrun. Fix the off-by-one error by > comparing to i > 3 rather than 4. > > Signed-off-by: Colin Ian King > --- > drivers/scsi/snic/snic_ctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c > index aebe753..ab0e06b 100644 > --- a/drivers/scsi/snic/snic_ctl.c > +++ b/drivers/scsi/snic/snic_ctl.c > @@ -75,7 +75,7 @@ snic_ver_enc(const char *s) > continue; > } > > - if (i > 4 || !isdigit(c)) > + if (i > 3 || !isdigit(c)) > goto end; > > v[i] = v[i] * 10 + (c - '0'); int v[4] = {0}; So clearly the i > 4 test is wrong and should be i > 3. Reviewed-by: Ewan D. Milne