File open-iscsi-overflow-search-ibft of Package open-iscsi
commit 381e50d930be0ea4343a20a0c62b8171468629a1
Author: Hannes Reinecke <hare@suse.de>
Date: Tue Feb 10 10:52:23 2009 +0100
Overflow in search_ibft()
search_ibft() checks for the search boundaries, but fails to
accomodate for the length of the search string.
References: 471475
Signed-off-by: Hannes Reinecke <hare@suse.de>
diff --git a/utils/fwparam_ibft/fwparam_ibft.c b/utils/fwparam_ibft/fwparam_ibft.c
index 02f8ac8..e0ed4a1 100644
--- a/utils/fwparam_ibft/fwparam_ibft.c
+++ b/utils/fwparam_ibft/fwparam_ibft.c
@@ -415,7 +415,7 @@ char *search_ibft(unsigned char *start, int length)
cur_ptr = (unsigned char *)start;
for (cur_ptr = (unsigned char *)start;
- cur_ptr < (start + length);
+ cur_ptr < (start + length - strlen(iBFTSTR));
cur_ptr++) {
if (memcmp(cur_ptr, iBFTSTR,strlen(iBFTSTR)))
continue;