drivers: ipmi: fix off-by-one bounds check that leads to a out-of-bounds write

commit e0354d147e5889b5faa12e64fa38187aed39aad4 upstream.

The end of buffer check is off-by-one since the check is against
an index that is pre-incremented before a store to buf[]. Fix this
adjusting the bounds check appropriately.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: 51bd6f291583 ("Add support for IPMB driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Message-Id: <20200114144031.358003-1-colin.king@canonical.com>
Reviewed-by: Asmaa Mnebhi <asmaa@mellanox.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
index 285e0b8f9a9744b88e4f6358dbef11c8439e6f7e..09e3e25562a8959d108a3d2a4d4345aee9c7f64f 100644 (file)
--- a/drivers/char/ipmi/ipmb_dev_int.c
+++ b/drivers/char/ipmi/ipmb_dev_int.c
@@ -265,7 +265,7 @@ static int ipmb_slave_cb(struct i2c_client *client,
                break;
 
        case I2C_SLAVE_WRITE_RECEIVED:
-               if (ipmb_dev->msg_idx >= sizeof(struct ipmb_msg))
+               if (ipmb_dev->msg_idx >= sizeof(struct ipmb_msg) - 1)
                        break;
 
                buf[++ipmb_dev->msg_idx] = *val;