[PATCH 03/10] staging: unisys: visorbus: Check controlvm message payload size
David Kershner
david.kershner at unisys.com
Wed Feb 1 22:38:55 UTC 2017
From: David Binder <david.binder at unisys.com>
Checks the controlvm message's payload size before copying it into a
parser_context struct's name region.
Signed-off-by: David Binder <david.binder at unisys.com>
Signed-off-by: David Kershner <david.kershner at unisys.com>
Reported-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
drivers/staging/unisys/visorbus/visorchipset.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/staging/unisys/visorbus/visorchipset.c b/drivers/staging/unisys/visorbus/visorchipset.c
index 4e630ea..df2dfeb 100644
--- a/drivers/staging/unisys/visorbus/visorchipset.c
+++ b/drivers/staging/unisys/visorbus/visorchipset.c
@@ -399,6 +399,10 @@ parser_name_get(struct parser_context *ctx)
struct spar_controlvm_parameters_header *phdr = NULL;
phdr = (struct spar_controlvm_parameters_header *)(ctx->data);
+
+ if (phdr->name_offset + phdr->name_length > ctx->param_bytes)
+ return NULL;
+
ctx->curr = ctx->data + phdr->name_offset;
ctx->bytes_remaining = phdr->name_length;
return parser_string_get(ctx);
--
git-series 0.9.1
More information about the devel
mailing list