Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150526133221.GG11588@mwanda>
Date: Tue, 26 May 2015 16:32:21 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>,
        Shigekatsu Tateno <shigekatsu.tateno@...el.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
        linux-kernel@...r.kernel.org,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        devel@...verdev.osuosl.org
Subject: Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow

On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:
> +			data_len = elt->length -
>  					sizeof(struct oz_get_desc_rsp) + 1;

This was in the original code, but I wonder where the + 1 comes from.
Does anyone know?

To be honest, I would prefer if we just checked:

	if (elt->length < sizeof(struct oz_get_desc_rsp) + 1)
		return;
	data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;

Shouldn't there be an upper bound on length?  Shigekatsu?

regards,
dan carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.