| Message ID | 1465298043-16505-1-git-send-email-ppandit@redhat.com |
|---|---|
| State | New |
| Headers | show |
On 7 June 2016 at 12:14, P J P <ppandit@redhat.com> wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading information via 'megasas_ctrl_get_info' routine, > a local bios version buffer isn't null terminated. Add the > terminating null byte to avoid any OOB access. > > Reported-by: Li Qiang <liqiang6-s@360.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/scsi/megasas.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c > index cc66d36..a9ffc32 100644 > --- a/hw/scsi/megasas.c > +++ b/hw/scsi/megasas.c > @@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) > > ptr = memory_region_get_ram_ptr(&pci_dev->rom); > memcpy(biosver, ptr + 0x41, 31); > + biosver[31] = 0; > memcpy(info.image_component[1].name, "BIOS", 4); > memcpy(info.image_component[1].version, biosver, > strlen((const char *)biosver)); Reviewed-by: Peter Maydell <peter.maydell@linaro.org> thanks -- PMM
On Tue, Jun 07, 2016 at 04:44:03PM +0530, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > While reading information via 'megasas_ctrl_get_info' routine, > a local bios version buffer isn't null terminated. Add the > terminating null byte to avoid any OOB access. > > Reported-by: Li Qiang <liqiang6-s@360.cn> > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/scsi/megasas.c | 1 + > 1 file changed, 1 insertion(+) Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index cc66d36..a9ffc32 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) ptr = memory_region_get_ram_ptr(&pci_dev->rom); memcpy(biosver, ptr + 0x41, 31); + biosver[31] = 0; memcpy(info.image_component[1].name, "BIOS", 4); memcpy(info.image_component[1].version, biosver, strlen((const char *)biosver));