Skip to content

Commit 7361d1b

Browse files
committed
lib/mpi: Fix buffer overrun when SG is too long
The helper mpi_read_raw_from_sgl sets the number of entries in the SG list according to nbytes. However, if the last entry in the SG list contains more data than nbytes, then it may overrun the buffer because it only allocates enough memory for nbytes. Fixes: 2d4d1ee ("lib/mpi: Add mpi sgl helpers") Reported-by: Roberto Sassu <[email protected]> Signed-off-by: Herbert Xu <[email protected]> Reviewed-by: Eric Biggers <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
1 parent e20d5a2 commit 7361d1b

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

lib/mpi/mpicoder.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -504,7 +504,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
504504

505505
while (sg_miter_next(&miter)) {
506506
buff = miter.addr;
507-
len = miter.length;
507+
len = min_t(unsigned, miter.length, nbytes);
508+
nbytes -= len;
508509

509510
for (x = 0; x < len; x++) {
510511
a <<= 8;

0 commit comments

Comments
 (0)