Date: Tue, 26 May 2015 17:06:55 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: oss-security <oss-security@lists.openwall.com>,
        linux-kernel@vger.kernel.org,
        Shigekatsu Tateno <shigekatsu.tateno@atmel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        devel@driverdev.osuosl.org
Subject: Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS
Message-ID: <20150526140654.GI11588@mwanda>
References: <1431543500-4847-1-git-send-email-Jason@zx2c4.com>
 <1432642669-7289-1-git-send-email-Jason@zx2c4.com>
 <1432642669-7289-5-git-send-email-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1432642669-7289-5-git-send-email-Jason@zx2c4.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1082
Lines: 29

On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:
> diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
> index 8552053..1bde6aa 100644
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
>  			struct oz_multiple_fixed *body =
>  				(struct oz_multiple_fixed *)data_hdr;
>  			u8 *data = body->data;
> -			int n;
> +			unsigned int n;
>  			if (!body->unit_size)
>  				break;
>  			n = (len - sizeof(struct oz_multiple_fixed)+1)
>  				/ body->unit_size;
> +			if (n > len / body->unit_size)
> +				break;

You sure do like wrapping to a high value and testing the result for
wrapping instead of validating before doing the subtraction...

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/