[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150526140654.GI11588@mwanda>
Date: Tue, 26 May 2015 17:06:55 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
linux-kernel@...r.kernel.org,
Shigekatsu Tateno <shigekatsu.tateno@...el.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
devel@...verdev.osuosl.org
Subject: Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS
On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:
> diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
> index 8552053..1bde6aa 100644
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
> struct oz_multiple_fixed *body =
> (struct oz_multiple_fixed *)data_hdr;
> u8 *data = body->data;
> - int n;
> + unsigned int n;
> if (!body->unit_size)
> break;
> n = (len - sizeof(struct oz_multiple_fixed)+1)
> / body->unit_size;
> + if (n > len / body->unit_size)
> + break;
You sure do like wrapping to a high value and testing the result for
wrapping instead of validating before doing the subtraction...
regards,
dan carpenter
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
