Re: [PATCH] snic: correctly check for array overrun on overly long version number
On 26/02/16 4:28 am, "Colin King" wrote: >From: Colin Ian King > >The snic version number is expected to be 4 decimals in the form like >a netmask string with each number stored in an element in array v. >However, there is an off-by-one check on the number of elements in v >allowing one to pass a 5 decimal version number causing v[4] to be >referenced, causing a buffer overrun. Fix the off-by-one error by >comparing to i > 3 rather than 4. Acked-by: Narsimhulu Musini > >Signed-off-by: Colin Ian King >--- > drivers/scsi/snic/snic_ctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c >index aebe753..ab0e06b 100644 >--- a/drivers/scsi/snic/snic_ctl.c >+++ b/drivers/scsi/snic/snic_ctl.c >@@ -75,7 +75,7 @@ snic_ver_enc(const char *s) > continue; > } > >- if (i > 4 || !isdigit(c)) >+ if (i > 3 || !isdigit(c)) > goto end; > > v[i] = v[i] * 10 + (c - '0'); >-- >2.7.0 > -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] snic: correctly check for array overrun on overly long version number
> "Colin" == Colin King writes: Colin> The snic version number is expected to be 4 decimals in the form Colin> like a netmask string with each number stored in an element in Colin> array v. However, there is an off-by-one check on the number of Colin> elements in v allowing one to pass a 5 decimal version number Colin> causing v[4] to be referenced, causing a buffer overrun. Fix the Colin> off-by-one error by comparing to i > 3 rather than 4. Applied to 4.6/scsi-queue. -- Martin K. Petersen Oracle Linux Engineering -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] snic: correctly check for array overrun on overly long version number
On Thu, 2016-02-25 at 22:58 +, Colin King wrote:
> From: Colin Ian King
>
> The snic version number is expected to be 4 decimals in the form like
> a netmask string with each number stored in an element in array v.
> However, there is an off-by-one check on the number of elements in v
> allowing one to pass a 5 decimal version number causing v[4] to be
> referenced, causing a buffer overrun. Fix the off-by-one error by
> comparing to i > 3 rather than 4.
>
> Signed-off-by: Colin Ian King
> ---
> drivers/scsi/snic/snic_ctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c
> index aebe753..ab0e06b 100644
> --- a/drivers/scsi/snic/snic_ctl.c
> +++ b/drivers/scsi/snic/snic_ctl.c
> @@ -75,7 +75,7 @@ snic_ver_enc(const char *s)
> continue;
> }
>
> - if (i > 4 || !isdigit(c))
> + if (i > 3 || !isdigit(c))
> goto end;
>
> v[i] = v[i] * 10 + (c - '0');
int v[4] = {0};
So clearly the i > 4 test is wrong and should be i > 3.
Reviewed-by: Ewan D. Milne
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] snic: correctly check for array overrun on overly long version number
Reviewed-by: Shane Seymour -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
