Re: [PATCH] hostap_plx: fix CIS verification

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John W. Linville" <linville@tuxdriver.com>
To: Pavel Roskin <proski@gnu.org>, netdev@vger.kernel.org, hostap@shmoo.com
Subject: Re: [PATCH] hostap_plx: fix CIS verification
Date: Tue, 24 Oct 2006 20:37:07 -0400	[thread overview]
Message-ID: <20061025003707.GB7340@tuxdriver.com> (raw)
In-Reply-To: <20061021011943.GC6140@jm.kir.nu>

On Fri, Oct 20, 2006 at 06:19:43PM -0700, Jouni Malinen wrote:
> On Fri, Oct 20, 2006 at 06:20:15PM -0400, Pavel Roskin wrote:
> 
> > The record length for numerical manufacturer ID should be at least 4
> > bytes (two 16-bit words).  The code required 5 bytes, which would break
> > for most (if not all) cards.  Reported by ph35sm@free.fr
> 
> >  		case CISTPL_MANFID:
> > -			if (cis[pos + 1] < 5)
> > +			if (cis[pos + 1] < 4)
> 
> Hmm.. Interesting. I think this was changed from 4 to 5 due to a
> potential buffer overflow as reported by Coverity tools.. In addition, I
> think that I spent long time trying to understand why it could be a
> buffer overflow and since it was changed, likely finally figured out an
> example case.. Alas, I don't remember what exactly this was anymore.
> 
> It looks like the comparison of the length field to be <5 was incorrect,
> but in order to avoid re-introducing any potential buffer overflows,
> that condition could be extended to verify that pos is small enough..
> Something like (cis[pos + 1] < 4 && pos + 5 < CIS_MAX_LEN) could be a
> better fix here. I don't have easy access to PLX cards anymore, so this
> is untested and I'm too lazy to copy this function into a separate
> program to run it against CIS dumps.

Pavel,

Will you be refactoring this patch?  Or do you disagree with Jouni's
assessment?

Thanks,

John

next prev parent reply	other threads:[~2006-10-25  0:37 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-10-20 22:20 [PATCH] hostap_plx: fix CIS verification Pavel Roskin
2006-10-21  1:19 ` Jouni Malinen
2006-10-25  0:37   ` John W. Linville [this message]
2006-10-25  0:48     ` Pavel Roskin
2006-10-25  1:44       ` Jouni Malinen
2006-10-25  2:12   ` Pavel Roskin
2006-10-25  2:31     ` Jouni Malinen
2006-10-25  2:41       ` [PATCH FIXED] " Pavel Roskin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20061025003707.GB7340@tuxdriver.com \
    --to=linville@tuxdriver.com \
    --cc=hostap@shmoo.com \
    --cc=netdev@vger.kernel.org \
    --cc=proski@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.