Re: [PATCH] snic: correctly check for array overrun on overly long version number
On 26/02/16 4:28 am, "Colin King" wrote: >From: Colin Ian King > >The snic version number is expected to be 4 decimals in the form like >a netmask string with each number stored in an element in array v. >However, there is an off-by-one check on the number of elements in v >allowing one to pass a 5 decimal version number causing v[4] to be >referenced, causing a buffer overrun. Fix the off-by-one error by >comparing to i > 3 rather than 4. Acked-by: Narsimhulu Musini > >Signed-off-by: Colin Ian King >--- > drivers/scsi/snic/snic_ctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c >index aebe753..ab0e06b 100644 >--- a/drivers/scsi/snic/snic_ctl.c >+++ b/drivers/scsi/snic/snic_ctl.c >@@ -75,7 +75,7 @@ snic_ver_enc(const char *s) > continue; > } > >- if (i > 4 || !isdigit(c)) >+ if (i > 3 || !isdigit(c)) > goto end; > > v[i] = v[i] * 10 + (c - '0'); >-- >2.7.0 > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] snic: correctly check for array overrun on overly long version number
> "Colin" == Colin King writes: Colin> The snic version number is expected to be 4 decimals in the form Colin> like a netmask string with each number stored in an element in Colin> array v. However, there is an off-by-one check on the number of Colin> elements in v allowing one to pass a 5 decimal version number Colin> causing v[4] to be referenced, causing a buffer overrun. Fix the Colin> off-by-one error by comparing to i > 3 rather than 4. Applied to 4.6/scsi-queue. -- Martin K. Petersen Oracle Linux Engineering -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] snic: correctly check for array overrun on overly long version number
On Thu, 2016-02-25 at 22:58 +, Colin King wrote: > From: Colin Ian King > > The snic version number is expected to be 4 decimals in the form like > a netmask string with each number stored in an element in array v. > However, there is an off-by-one check on the number of elements in v > allowing one to pass a 5 decimal version number causing v[4] to be > referenced, causing a buffer overrun. Fix the off-by-one error by > comparing to i > 3 rather than 4. > > Signed-off-by: Colin Ian King > --- > drivers/scsi/snic/snic_ctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c > index aebe753..ab0e06b 100644 > --- a/drivers/scsi/snic/snic_ctl.c > +++ b/drivers/scsi/snic/snic_ctl.c > @@ -75,7 +75,7 @@ snic_ver_enc(const char *s) > continue; > } > > - if (i > 4 || !isdigit(c)) > + if (i > 3 || !isdigit(c)) > goto end; > > v[i] = v[i] * 10 + (c - '0'); int v[4] = {0}; So clearly the i > 4 test is wrong and should be i > 3. Reviewed-by: Ewan D. Milne -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] snic: correctly check for array overrun on overly long version number
Reviewed-by: Shane Seymour -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html