From 9c101fd439dab60d6eba76afb35fd2696f42c63d Mon Sep 17 00:00:00 2001
From: "KAMBAROV, ZAUR" <kambarov@berkeley.edu>
Date: Tue, 28 Jun 2005 20:45:08 -0700
Subject: [PATCH] [PATCH] coverity: ipmi_msghandler() channels array overrun
 fix

We fix the check in 1084, which was

1084 			if (addr->channel > IPMI_NUM_CHANNELS) {
1085 				spin_lock_irqsave(&intf->counter_lock, flags);
1086 				intf->sent_invalid_commands++;
1087 				spin_unlock_irqrestore(&intf->counter_lock, flags);
1088 				rv = -EINVAL;
1089 				goto out_err;
1090 			}

addr->channel is used in

1092 			if (intf->channels[addr->channel].medium

Definitions involved:

221  		struct ipmi_channel channels[IPMI_MAX_CHANNELS];

134  	#define IPMI_MAX_CHANNELS       8

In /linux-2.6.12-rc6/include/linux/ipmi.h
148  	#define IPMI_NUM_CHANNELS 0x10

Signed-off-by: Zaur Kambarov <zkambarov@coverity.com>
Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
---
 drivers/char/ipmi/ipmi_msghandler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 1813d0d198f1..e16c13fe698d 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -1088,8 +1088,8 @@ static inline int i_ipmi_request(ipmi_user_t          user,
 		long                  seqid;
 		int                   broadcast = 0;
 
-		if (addr->channel > IPMI_NUM_CHANNELS) {
-			spin_lock_irqsave(&intf->counter_lock, flags);
+		if (addr->channel >= IPMI_MAX_CHANNELS) {
+		        spin_lock_irqsave(&intf->counter_lock, flags);
 			intf->sent_invalid_commands++;
 			spin_unlock_irqrestore(&intf->counter_lock, flags);
 			rv = -EINVAL;
-- 
GitLab