Actions
Bug #4233
closedmptsas topo change buffer overflow
Start date:
2013-10-18
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
Description
There is a nasty little buffer overflow in the SMHBA code in mpt_sas.
When a directly attached device is plugged in, mptsas_handle_topo_change() will try to update the phy properties for SMHBA by calling mptsas_smhba_set_phy_props() for one (1) phy. Mptsas_smhba_set_phy_props() will allocate space for one nvlist pointer according to the phy_nums argument. Later when it iterates over all phys and sets the properties for those that have a matching phy_mask, it does not check phy_nums and will happily write past the end of the nvlist pointer array.
Actions