Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp4687449pxb; Tue, 5 Oct 2021 08:17:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6Xt3YQfwZ6waKxyFTVZmcrw9oc3nO8ikhdknehc6xAP7onZ9YHa6Y6maiHXzn9M7Y6wVT X-Received: by 2002:a62:5209:0:b0:44c:68a7:3a61 with SMTP id g9-20020a625209000000b0044c68a73a61mr9254698pfb.83.1633447050480; Tue, 05 Oct 2021 08:17:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633447050; cv=none; d=google.com; s=arc-20160816; b=IYH3On5JN6HCWb1tZivlOVumqmCN1ISvxfy4uPHWyNIC0clz+KZ1jTUx5Fy/x7dK/I KHI/rPs7GKxDDBJ8gpRfrBdQPo0ip76AX99kHLRKu+hoRydbJ/gQ72rDgDk2fPirK/sy ppA+w6uD2wYS2JGPOY0AShqWmCqhIofxFRC14pPl5DWAqPa4oFxWZWCAY7ssO8FuOcUq JM4i5AOJIbXBv7gFqj3CsVH6P8+Ckrhfjxof6Sd/e+QCOqrIDxtVi0sT6uZDbujkPlcz hNJHTHNNiRoUKcYxgel2ZMlvAskOIlsk3w1EJCIArlLvbX9yq6aDnEPNtNPMsNVB9GcC frNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=QvIq1h9e/NhyWPRySEGTralffxgGmERWgEP2mQB01KM=; b=OpLXo+Q5syM2jM3CMNVJc0xDpyzTvDIpXEMsUdcpcTWEBgO/5W45UdfX1HJxwSsXxI gnd/kL9iJ7rW0YZtwms0p3GUkx57iATsIo1MmoYzlGVwEvvXQzvtYIlY+o1c8R3D7VFb iUoBkolOlcsrmXA88Ci7p0YJxrs19RAUaJm1OZy2X7tehCc6J09AI9z7wjF5xljoAGiT fGjejKR9RU2KanAu1xK1QYJQCVanEEbb+4afe3TUjbtqPvIzCViHH1d0Ynx7EV9Klf8x NEOUpW2IRU3r/jFS6RBgWuPOev9fQ2nVeWtQuIADXFxVl7hF6JcySvi1AA+B96TKlLbL JBSw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=WQCsf16x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v5si21962642pgs.555.2021.10.05.08.17.06; Tue, 05 Oct 2021 08:17:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@canonical.com header.s=20210705 header.b=WQCsf16x; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235854AbhJEPSE (ORCPT + 99 others); Tue, 5 Oct 2021 11:18:04 -0400 Received: from smtp-relay-canonical-1.canonical.com ([185.125.188.121]:60900 "EHLO smtp-relay-canonical-1.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235709AbhJEPSD (ORCPT ); Tue, 5 Oct 2021 11:18:03 -0400 Received: from localhost (1.general.cking.uk.vpn [10.172.193.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 9C8753FFEA; Tue, 5 Oct 2021 15:16:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1633446971; bh=QvIq1h9e/NhyWPRySEGTralffxgGmERWgEP2mQB01KM=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Type; b=WQCsf16xlonqTKrvB6VvrnLWy3lGEt1zYlmSjqrfimyiIJ602hd1J4b0ZKRgS6qDQ jkFEVgJNKJ4osEMI71osYYHSRCbXMHe4ZyVj9NLD4BElT5na+cUXSgjYoWO9PvkUMV k6BOgCCDtFFVAST9Ej25fe+EWj/enZOzM2h7SUFfSUHXQhcRFQATnl1O4WlIodQ2BO fG+J0BzxztbALuShndTtaY57SntV5nwZfEtgEJ3xV8XA6AbRSyfrQnHtMVwwl1/AAB APV2XlXHgWLMGSadJ9irMSldQbuGISY8qE5mLJHUT1tUBFU4tVdolduxurZi1sMkxs oKZKXcYg/6mgg== From: Colin King To: Corey Minyard , openipmi-developer@lists.sourceforge.net Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][next] ipmi: ipmb: Fix off-by-one size check on rcvlen Date: Tue, 5 Oct 2021 16:16:11 +0100 Message-Id: <20211005151611.305383-1-colin.king@canonical.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King There is an off-by-one bounds check on the rcvlen causing a potential out of bounds write on iidev->rcvmsg. Fix this by using the >= operator on the bounds check rather than the > operator. Addresses-Coverity: ("Out-of-bounds write") Fixes: 0ba0c3c5d1c1 ("ipmi:ipmb: Add initial support for IPMI over IPMB") Signed-off-by: Colin Ian King --- drivers/char/ipmi/ipmi_ipmb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_ipmb.c b/drivers/char/ipmi/ipmi_ipmb.c index b10a1fd9c563..77ebec4ed28e 100644 --- a/drivers/char/ipmi/ipmi_ipmb.c +++ b/drivers/char/ipmi/ipmi_ipmb.c @@ -192,7 +192,7 @@ static int ipmi_ipmb_slave_cb(struct i2c_client *client, break; case I2C_SLAVE_WRITE_RECEIVED: - if (iidev->rcvlen > sizeof(iidev->rcvmsg)) + if (iidev->rcvlen >= sizeof(iidev->rcvmsg)) iidev->overrun = true; else iidev->rcvmsg[iidev->rcvlen++] = *val; -- 2.32.0