Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754115AbcCBJD4 (ORCPT <rfc822;w@1wt.eu>);
	Wed, 2 Mar 2016 04:03:56 -0500
Received: from alln-iport-6.cisco.com ([173.37.142.93]:40028 "EHLO
	alln-iport-6.cisco.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752054AbcCBJDw convert rfc822-to-8bit (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 2 Mar 2016 04:03:52 -0500
X-Greylist: delayed 580 seconds by postgrey-1.27 at vger.kernel.org; Wed, 02 Mar 2016 04:03:52 EST
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ATAgCrqdZW/5RdJa1cgzqBPwa4C4ITA?=
 =?us-ascii?q?Q2BZoYTAoFAOBQBAQEBAQEBZCeEQgEBBDo/EAIBCBUhEDIlAgQBDQWIH7xgAQE?=
 =?us-ascii?q?BAQEBAQEBAQEBAQEBAQEBAQEBFYYShDqEA4RsAQSXEgGNYo52jksBHgEBQoIwg?=
 =?us-ascii?q?TRqhwY9fgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.22,527,1449532800"; 
   d="scan'208";a="244595540"
From: "Narsimhulu Musini (nmusini)" <nmusini@cisco.com>
To: Colin King <colin.king@canonical.com>,
        "Sesidhar Baddela (sebaddel)" <sebaddel@cisco.com>,
        "James E . J . Bottomley" <JBottomley@odin.com>,
        "Martin K . Petersen" <martin.petersen@oracle.com>,
        "linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
CC: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] snic: correctly check for array overrun on overly long
 version number
Thread-Topic: [PATCH] snic: correctly check for array overrun on overly long
 version number
Thread-Index: AQHRcCAK05FsfJFiFE2Z/t5baYUKV59GorCA
Date: Wed, 2 Mar 2016 08:54:10 +0000
Message-ID: <D2FCA618.3E99E%nmusini@cisco.com>
References: <1456441105-19042-1-git-send-email-colin.king@canonical.com>
In-Reply-To: <1456441105-19042-1-git-send-email-colin.king@canonical.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.127.149.152]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0F4D391E12F35643BC45F41274BA689A@emea.cisco.com>
Content-Transfer-Encoding: 8BIT
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1076
Lines: 34

On 26/02/16 4:28 am, "Colin King" <colin.king@canonical.com> wrote:

>From: Colin Ian King <colin.king@canonical.com>
>
>The snic version number is expected to be 4 decimals in the form like
>a netmask string with each number stored in an element in array v.
>However, there is an off-by-one check on the number of elements in v
>allowing one to pass a 5 decimal version number causing v[4] to be
>referenced, causing a buffer overrun.  Fix the off-by-one error by
>comparing to i > 3 rather than 4.
Acked-by: Narsimhulu Musini <nmusini@cisco.com>

>
>Signed-off-by: Colin Ian King <colin.king@canonical.com>
>---
> drivers/scsi/snic/snic_ctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c
>index aebe753..ab0e06b 100644
>--- a/drivers/scsi/snic/snic_ctl.c
>+++ b/drivers/scsi/snic/snic_ctl.c
>@@ -75,7 +75,7 @@ snic_ver_enc(const char *s)
> 			continue;
> 		}
> 
>-		if (i > 4 || !isdigit(c))
>+		if (i > 3 || !isdigit(c))
> 			goto end;
> 
> 		v[i] = v[i] * 10 + (c - '0');
>-- 
>2.7.0
>