From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tomas Henzl Subject: Re: [patch v2] arcmsr: buffer overflow in arcmsr_iop_message_xfer() Date: Mon, 26 Sep 2016 15:29:49 +0200 Message-ID: References: <20160915134456.GA30277@mwanda> <20160923112226.rteir5ivjou64ffh@pd.tnic> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com ([209.132.183.28]:60044 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935875AbcIZN36 (ORCPT ); Mon, 26 Sep 2016 09:29:58 -0400 In-Reply-To: <20160923112226.rteir5ivjou64ffh@pd.tnic> Sender: linux-scsi-owner@vger.kernel.org List-Id: linux-scsi@vger.kernel.org To: Borislav Petkov , "Martin K. Petersen" Cc: Dan Carpenter , "James E.J. Bottomley" , Ching Huang , Hannes Reinicke , Johannes Thumshirn , linux-scsi@vger.kernel.org, security@kernel.org On 23.9.2016 13:22, Borislav Petkov wrote: > On Thu, Sep 15, 2016 at 09:59:01AM -0400, Martin K. Petersen wrote: >>>>>>> "Dan" == Dan Carpenter writes: >> Dan> We need to put an upper bound on "user_len" so the memcpy() doesn't >> Dan> overflow. >> >> Applied to 4.9/scsi-queue. > Yap, Tomas said the kfree was missing on the error path but can we > simplify this further by doing the user_len check first so that the > kfree() is not even needed? > > Patch ontop: > > --- > From: Borislav Petkov > Date: Fri, 23 Sep 2016 13:04:51 +0200 > Subject: [PATCH] scsi: arcmsr: Simplify user_len checking > > Do the user_len check first and then the ver_addr allocation so that > we can save us the kfree() on the error path when user_len is > > ARCMSR_API_DATA_BUFLEN. > > Signed-off-by: Borislav Petkov > Cc: Marco Grassi > Cc: Dan Carpenter > Cc: Tomas Henzl > Cc: Martin K. Petersen Looks good, Reviewed-by: Tomas Henzl