From: kys@exchange.microsoft.com
To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org,
        devel@linuxdriverproject.org, olaf@aepfle.de, apw@canonical.com,
        vkuznets@redhat.com, jasowang@redhat.com,
        leann.ogasawara@canonical.com, marcelo.cerri@canonical.com,
        sthemmin@microsoft.com
Cc: Alex Ng <alexng@messages.microsoft.com>,
        "K. Y. Srinivasan" <kys@microsoft.com>
Subject: [PATCH 5/5] Drivers: hv: kvp: Use MAX_ADAPTER_ID_SIZE for translating adapter id
Date: Sun,  6 Aug 2017 13:12:56 -0700
Message-Id: <1502050376-23662-5-git-send-email-kys@exchange.microsoft.com>
In-Reply-To: <1502050348-23624-1-git-send-email-kys@exchange.microsoft.com>
References: <1502050348-23624-1-git-send-email-kys@exchange.microsoft.com>
Reply-To: kys@microsoft.com
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1037
Lines: 31

From: Alex Ng <alexng@messages.microsoft.com>

There's a bug which passes the output buffer size as MAX_IP_ADDR_SIZE,
when converting the adapter_id field to UTF16. This is much larger than
the actual size (MAX_ADAPTER_ID_SIZE). Fix this by passing the proper
size.

Fortunately, the translation is limited by the length of the input. This
explains why we haven't seen output buffer overflow conditions.

Signed-off-by: Alex Ng <alexng@messages.microsoft.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
---
 drivers/hv/hv_kvp.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/hv/hv_kvp.c b/drivers/hv/hv_kvp.c
index 9a90b91..5eed1e7 100644
--- a/drivers/hv/hv_kvp.c
+++ b/drivers/hv/hv_kvp.c
@@ -304,7 +304,7 @@ static int process_ob_ipinfo(void *in_msg, void *out_msg, int op)
 				strlen((char *)in->body.kvp_ip_val.adapter_id),
 				UTF16_HOST_ENDIAN,
 				(wchar_t *)out->kvp_ip_val.adapter_id,
-				MAX_IP_ADDR_SIZE);
+				MAX_ADAPTER_ID_SIZE);
 		if (len < 0)
 			return len;
 
-- 
1.7.1