diff options
| author | Yousef Alhouseen <alhouseenyousef@gmail.com> | 2026-06-24 19:53:53 +0200 |
|---|---|---|
| committer | Corey Minyard <corey@minyard.net> | 2026-07-02 06:46:25 -0500 |
| commit | 53637506884dbd5c91a89b1a3547d99d80f8ed2c (patch) | |
| tree | 33c616260fa4ed86b8e601535d77f6594ed5cb64 /drivers | |
| parent | 4edcdefd4083ae04b1a5656f4be6cd83ae919ef4 (diff) | |
| download | linux-next-53637506884dbd5c91a89b1a3547d99d80f8ed2c.tar.gz linux-next-53637506884dbd5c91a89b1a3547d99d80f8ed2c.zip | |
ipmi: ipmb: validate write message length
ipmb_write() read message fields before validating the length byte.
A zero or short write can read uninitialized stack bytes.
A length smaller than the SMBus header underflows the block write length.
Require a non-empty buffer and the minimum IPMB request length.
Also require the length byte plus payload before parsing the message.
Fixes: 51bd6f291583 ("Add support for IPMB driver")
Cc: stable@vger.kernel.org
Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com>
Message-ID: <20260624175353.8592-1-alhouseenyousef@gmail.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/char/ipmi/ipmb_dev_int.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c index 680ff15c30ab..e4c50d9ae3e1 100644 --- a/drivers/char/ipmi/ipmb_dev_int.c +++ b/drivers/char/ipmi/ipmb_dev_int.c @@ -141,13 +141,14 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf, u8 msg[MAX_MSG_LEN]; ssize_t ret; - if (count > sizeof(msg)) + if (!count || count > sizeof(msg)) return -EINVAL; if (copy_from_user(&msg, buf, count)) return -EFAULT; - if (count < msg[0]) + if (msg[IPMB_MSG_LEN_IDX] < IPMB_REQUEST_LEN_MIN || + count < (size_t)msg[IPMB_MSG_LEN_IDX] + 1) return -EINVAL; rq_sa = GET_7BIT_ADDR(msg[RQ_SA_8BIT_IDX]); |
