Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934757AbbEPKUV (ORCPT <rfc822;w@1wt.eu>);
	Sat, 16 May 2015 06:20:21 -0400
Received: from mail-qg0-f49.google.com ([209.85.192.49]:34171 "EHLO
	mail-qg0-f49.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754137AbbEPKUS (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sat, 16 May 2015 06:20:18 -0400
Message-ID: <1431771615.1844.4.camel@gmail.com>
Subject: Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow
From: "Charles (Chas) Williams" <3chas3@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: "'Jason A. Donenfeld'" <Jason@zx2c4.com>,
        "shigekatsu.tateno@atmel.com" <shigekatsu.tateno@atmel.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
        "oss-security@lists.openwall.com" <oss-security@lists.openwall.com>
Date: Sat, 16 May 2015 06:20:15 -0400
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6D1CB36893@AcuExch.aculab.com>
References: <1431542014-3239-1-git-send-email-Jason@zx2c4.com>
	 <1431542014-3239-2-git-send-email-Jason@zx2c4.com>
	 <063D6719AE5E284EB5DD2968C1650D6D1CB36893@AcuExch.aculab.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1334
Lines: 33

On Fri, 2015-05-15 at 15:02 +0000, David Laight wrote:
> From: Jason A. Donenfeld
> > Sent: 13 May 2015 19:34
> > Since elt->length is a u8, we can make this variable a u8. Then we can
> > do proper bounds checking more easily. Without this, a potentially
> > negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
> > resulting in a remotely exploitable heap overflow with network
> > supplied data.
> ...
> > diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
> > index d434d8c..cd6c63e 100644
> > --- a/drivers/staging/ozwpan/ozusbsvc1.c
> > +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> > @@ -390,8 +390,10 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt)
> >  	case OZ_GET_DESC_RSP: {
> >  			struct oz_get_desc_rsp *body =
> >  				(struct oz_get_desc_rsp *)usb_hdr;
> > -			int data_len = elt->length -
> > +			u8 data_len = elt->length -
> >  					sizeof(struct oz_get_desc_rsp) + 1;
> > +			if (data_len > elt->length)
> > +				break;

This check already seems bogus?  It's really:

	if (sizeof(struct oz_get_desc_rsp) - 1 < 0)


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/