From 7e484c59b379bca367ac295f153e212734b685c4 Mon Sep 17 00:00:00 2001 From: Gleb Chesnokov Date: Mon, 14 Feb 2022 14:03:27 +0300 Subject: [PATCH] scst_event: Fix check of recopied payload_len We check the recopied payload_len with the length of struct scst_event + payload. if (event->payload_len != event_len) This check will never succeed. So check the recopied payload length with the passed payload_len from user space. Fixes: ffd85476 ("scst: Suppress a false positive Coverity memory corruption complaint") --- scst/src/scst_event.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scst/src/scst_event.c b/scst/src/scst_event.c index 7c7a56ad4..fb075d4fa 100644 --- a/scst/src/scst_event.c +++ b/scst/src/scst_event.c @@ -637,8 +637,9 @@ static int scst_event_get_event_from_user(struct scst_event_user __user *arg, } /* payload_len has been recopied, so recheck it. */ - if (event->payload_len != event_len) { - PRINT_ERROR("Payload len changed while being read"); + if (event->payload_len != payload_len) { + PRINT_ERROR("Payload len %d changed while being read: %d", + event->payload_len, payload_len); res = -EINVAL; goto out_free; }