On Tue, Dec 27, 2022 at 03:27:39PM +0100, Roberto Sassu wrote:
From: Herbert Xu herbert@gondor.apana.org.au
The helper mpi_read_raw_from_sgl sets the number of entries in the SG list according to nbytes. However, if the last entry in the SG list contains more data than nbytes, then it may overrun the buffer because it only allocates enough memory for nbytes.
Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") Reported-by: Roberto Sassu roberto.sassu@huaweicloud.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
lib/mpi/mpicoder.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Reviewed-by: Eric Biggers ebiggers@google.com
- Eric