summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorYousef Alhouseen <alhouseenyousef@gmail.com>2026-06-24 19:53:53 +0200
committerCorey Minyard <corey@minyard.net>2026-07-02 06:46:25 -0500
commit53637506884dbd5c91a89b1a3547d99d80f8ed2c (patch)
tree33c616260fa4ed86b8e601535d77f6594ed5cb64 /drivers
parent4edcdefd4083ae04b1a5656f4be6cd83ae919ef4 (diff)
downloadlinux-next-53637506884dbd5c91a89b1a3547d99d80f8ed2c.tar.gz
linux-next-53637506884dbd5c91a89b1a3547d99d80f8ed2c.zip
ipmi: ipmb: validate write message length
ipmb_write() read message fields before validating the length byte. A zero or short write can read uninitialized stack bytes. A length smaller than the SMBus header underflows the block write length. Require a non-empty buffer and the minimum IPMB request length. Also require the length byte plus payload before parsing the message. Fixes: 51bd6f291583 ("Add support for IPMB driver") Cc: stable@vger.kernel.org Signed-off-by: Yousef Alhouseen <alhouseenyousef@gmail.com> Message-ID: <20260624175353.8592-1-alhouseenyousef@gmail.com> Signed-off-by: Corey Minyard <corey@minyard.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/char/ipmi/ipmb_dev_int.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
index 680ff15c30ab..e4c50d9ae3e1 100644
--- a/drivers/char/ipmi/ipmb_dev_int.c
+++ b/drivers/char/ipmi/ipmb_dev_int.c
@@ -141,13 +141,14 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
u8 msg[MAX_MSG_LEN];
ssize_t ret;
- if (count > sizeof(msg))
+ if (!count || count > sizeof(msg))
return -EINVAL;
if (copy_from_user(&msg, buf, count))
return -EFAULT;
- if (count < msg[0])
+ if (msg[IPMB_MSG_LEN_IDX] < IPMB_REQUEST_LEN_MIN ||
+ count < (size_t)msg[IPMB_MSG_LEN_IDX] + 1)
return -EINVAL;
rq_sa = GET_7BIT_ADDR(msg[RQ_SA_8BIT_IDX]);