From: KAMBAROV, ZAUR Date: Wed, 29 Jun 2005 03:45:08 +0000 (-0700) Subject: [PATCH] coverity: ipmi_msghandler() channels array overrun fix X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9c101fd439dab60d6eba76afb35fd2696f42c63d;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] coverity: ipmi_msghandler() channels array overrun fix We fix the check in 1084, which was 1084 if (addr->channel > IPMI_NUM_CHANNELS) { 1085 spin_lock_irqsave(&intf->counter_lock, flags); 1086 intf->sent_invalid_commands++; 1087 spin_unlock_irqrestore(&intf->counter_lock, flags); 1088 rv = -EINVAL; 1089 goto out_err; 1090 } addr->channel is used in 1092 if (intf->channels[addr->channel].medium Definitions involved: 221 struct ipmi_channel channels[IPMI_MAX_CHANNELS]; 134 #define IPMI_MAX_CHANNELS 8 In /linux-2.6.12-rc6/include/linux/ipmi.h 148 #define IPMI_NUM_CHANNELS 0x10 Signed-off-by: Zaur Kambarov Cc: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 1813d0d198f..e16c13fe698 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -1088,8 +1088,8 @@ static inline int i_ipmi_request(ipmi_user_t user, long seqid; int broadcast = 0; - if (addr->channel > IPMI_NUM_CHANNELS) { - spin_lock_irqsave(&intf->counter_lock, flags); + if (addr->channel >= IPMI_MAX_CHANNELS) { + spin_lock_irqsave(&intf->counter_lock, flags); intf->sent_invalid_commands++; spin_unlock_irqrestore(&intf->counter_lock, flags); rv = -EINVAL;