Thread (39 messages) 39 messages, 6 authors, 2017-03-15

Re: [PATCH 4.4 17/25] USB: serial: digi_acceleport: fix OOB data sanity check

From: Ben Hutchings <hidden>
Date: 2017-02-24 13:38:56
Also in: lkml

On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Johan Hovold <johan@kernel.org>

commit 2d380889215fe20b8523345649dee0579821800c upstream.

Make sure to check for short transfers to avoid underflow in a loop
condition when parsing the receive buffer.

Also fix an off-by-one error in the incomplete sanity check which could
lead to invalid data being parsed.
This appears to *introduce* an off-by-one.  Which is not as serious as
the underflow, but is still a regression.

Suppose we have urb->actual_length == 4:

[...]
-	for (i = 0; i < urb->actual_length - 3;) {
i < 1 is true, so we would run the loop once.
-		opcode = ((unsigned char *)urb->transfer_buffer)[i++];
-		line = ((unsigned char *)urb->transfer_buffer)[i++];
-		status = ((unsigned char *)urb->transfer_buffer)[i++];
-		val = ((unsigned char *)urb->transfer_buffer)[i++];
+	for (i = 0; i < urb->actual_length - 4; i += 4) {
i < 0 is false, so we now skip the loop.
+		opcode = buf[i];
+		line = buf[i + 1];
+		status = buf[i + 2];
+		val = buf[i + 3];
[...]

Ben.

-- 
Ben Hutchings
All the simple programs have been written, and all the good names
taken.

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help