| commit | ef001f069e0f175a036929782c5c63053df9569a | |
| author | Thomas Huth <thuth@redhat.com> | |
| Tue, 15 Sep 2015 19:34:20 +0000 (15 21:34 +0200) | ||
| committer | David Gibson <david@gibson.dropbear.id.au> | |
| Wed, 23 Sep 2015 00:51:11 +0000 (23 10:51 +1000) | ||
| tree | 2bf211642512ebec996b2cc8c4dad7e6b786552e | treesnapshot (tar.gz zip) |
| parent | 20bb648dca6d7fe8cdd1941194e7851950b25dc5 | commitdiff |
ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()
The buffer that is allocated in spapr_populate_drconf_memory()
is used for setting both, the "ibm,dynamic-memory" and the
"ibm,associativity-lookup-arrays" property. However, only the
size of the first one is taken into account when allocating the
memory. So if the length of the second property is larger than
the length of the first one, we run into a buffer overflow here!
Fix it by taking the length of the second property into account,
too.
Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
The buffer that is allocated in spapr_populate_drconf_memory()
is used for setting both, the "ibm,dynamic-memory" and the
"ibm,associativity-lookup-arrays" property. However, only the
size of the first one is taken into account when allocating the
memory. So if the length of the second property is larger than
the length of the first one, we run into a buffer overflow here!
Fix it by taking the length of the second property into account,
too.
Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
| hw/ppc/spapr.c | diffblobblamehistory |