ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()
commit fa332f5d upstream. The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we haven't called atomic_add_return() so update the if (intf->in_shutdown) path as well. Fixes: 8e76741c ("ipmi: Add a limit on the number of users that may use IPMI") Signed-off-by:Dan Carpenter <dan.carpenter@linaro.org> Message-ID: <aBjMZ8RYrOt6NOgi@stanley.mountain> Signed-off-by:
Corey Minyard <corey@minyard.net> [ - Dropped change to the `if (intf->in_shutdown)` block since that logic doesn't exist yet. - Modified out_unlock to release the srcu lock instead of the mutex since we don't have the mutex here yet. ] Signed-off-by:
Brendan Jackman <jackmanb@google.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Loading
Please sign in to comment