Public bug reported:
Description: qeth: Fix potential array overrun in cmd/rc lookup
Symptom: Infinite loop when processing a received cmd.
Problem: qeth_get_ipa_cmd_name() and qeth_get_ipa_msg() are used
to build human-readable messages for received cmd data.
They store the to-be translated value in the last entry of a
global array, and then iterate over each entry until they found
the queried value (and the corresponding message string).
If there is no prior match, the lookup is intended to stop at
the final entry (which was previously prepared).
If two qeth devices are concurrently processing a received cmd,
one lookup can over-write the last entry of the global array
while a second lookup is in process. This second lookup will then
never hit its stop-condition, and loop.
Solution: Remove the modification of the global array, and limit the number
of iterations to the size of the array.
Upstream-ID: kernel 4.19
- 065a2cdcbdf8eb9aefb66e1a24b2d684b8b8852b
- 048a7f8b4ec085d5c56ad4a3bf450389a4aed5f9
Should also be applied, to all other Ubuntu Releases in the field !
** Affects: linux (Ubuntu)
Importance: Undecided
Assignee: Skipper Bug Screeners (skipper-screen-team)
Status: New
** Tags: architecture-s39064 bugnameltc-172700 severity-high
targetmilestone-inin1810
** Tags added: architecture-s39064 bugnameltc-172700 severity-high
targetmilestone-inin1810
** Changed in: ubuntu
Assignee: (unassigned) => Skipper Bug Screeners (skipper-screen-team)
** Package changed: ubuntu => linux (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1800641
Title:
[Ubuntu] qeth: Fix potential array overrun in cmd/rc lookup
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1800641/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
