Re: [PATCH 4.4 17/25] USB: serial: digi_acceleport: fix OOB data sanity check
From: Ben Hutchings <hidden>
Date: 2017-02-24 13:38:56
Also in:
lkml
Attachments
- signature.asc [application/pgp-signature] 833 bytes
From: Ben Hutchings <hidden>
Date: 2017-02-24 13:38:56
Also in:
lkml
On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Johan Hovold <johan@kernel.org> commit 2d380889215fe20b8523345649dee0579821800c upstream. Make sure to check for short transfers to avoid underflow in a loop condition when parsing the receive buffer. Also fix an off-by-one error in the incomplete sanity check which could lead to invalid data being parsed.
This appears to *introduce* an off-by-one. Which is not as serious as the underflow, but is still a regression. Suppose we have urb->actual_length == 4: [...]
- for (i = 0; i < urb->actual_length - 3;) {i < 1 is true, so we would run the loop once.
- opcode = ((unsigned char *)urb->transfer_buffer)[i++];
- line = ((unsigned char *)urb->transfer_buffer)[i++];
- status = ((unsigned char *)urb->transfer_buffer)[i++];
- val = ((unsigned char *)urb->transfer_buffer)[i++];
+ for (i = 0; i < urb->actual_length - 4; i += 4) {i < 0 is false, so we now skip the loop.
+ opcode = buf[i]; + line = buf[i + 1]; + status = buf[i + 2]; + val = buf[i + 3];
[...] Ben. -- Ben Hutchings All the simple programs have been written, and all the good names taken.