From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow
Date: Tue, 26 May 2015 16:56:35 +0300 [thread overview]
Message-ID: <20150526135635.GH11588@mwanda> (raw)
In-Reply-To: <CAHmME9oLLKUxm4zk_=kzRAt5Key_G0+dgozVVw+EwUcYJYDRmg@mail.gmail.com>
On Tue, May 26, 2015 at 03:49:27PM +0200, Jason A. Donenfeld wrote:
> On Tue, May 26, 2015 at 3:32 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:
> >> + data_len = elt->length -
> >> sizeof(struct oz_get_desc_rsp) + 1;
> >
> > This was in the original code, but I wonder where the + 1 comes from.
> > Does anyone know?
>
> I know. It's because oz_get_desc_rsp has a 1 byte data member as it's
> last element, that's just meant as a placeholder for a variable amount
> of data. elt->length is supposed to be the size of the struct elements
> plus the total data section, which runs after the struct. But because
> of this placeholder goofiness, when we take sizeof we have to subtract
> one.
>
> struct oz_get_desc_rsp {
> [... bla bla ...]
> u8 data[1];
> } PACKED;
>
> This is sort of horrible, but it is what it is. I'd recommend these
> security-CRITICAL patches get merged immediately, and then cleaning up
> other problems with this driver can be addressed after, preferably by
> the maintainer.
>
Ah thanks. You are right on all counts, let's merge this.
>
> >
> > To be honest, I would prefer if we just checked:
> >
> > if (elt->length < sizeof(struct oz_get_desc_rsp) + 1)
> > return;
> > data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;
> >
> > Shouldn't there be an upper bound on length? Shigekatsu?
>
> elt->length is a u8, so the upper bound is 255.
Yes. I know that, but is 255 correct?
regards,
dan carpenter
next prev parent reply other threads:[~2015-05-26 13:56 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 18:33 [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-15 15:02 ` David Laight
[not found] ` <CAHmME9oA3AxBvAYyu38o4Teo3QBjvJZLzmiAv7RyThGbtv6zkw@mail.gmail.com>
2015-05-15 18:04 ` Jason A. Donenfeld
2015-05-16 10:20 ` Charles (Chas) Williams
2015-05-13 18:33 ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-13 18:43 ` [oss-security] [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Greg KH
2015-05-13 18:48 ` Jason A. Donenfeld
2015-05-13 18:53 ` Greg KH
2015-05-13 18:58 ` Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-24 20:26 ` Greg Kroah-Hartman
2015-05-13 18:58 ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-26 13:32 ` Dan Carpenter
2015-05-26 13:49 ` Jason A. Donenfeld
2015-05-26 13:56 ` Dan Carpenter [this message]
2015-05-26 14:58 ` Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 14:06 ` Dan Carpenter
2015-05-26 14:34 ` [oss-security] " Jason A. Donenfeld
2015-05-28 11:04 ` Dan Carpenter
2015-05-28 15:37 ` Jason A. Donenfeld
2015-05-28 16:34 ` Greg Kroah-Hartman
2015-05-29 11:06 ` [PATCH v3 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-29 11:06 ` [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-29 12:00 ` Dan Carpenter
2015-05-29 12:36 ` Frans Klaver
2015-05-29 12:41 ` Dan Carpenter
2015-05-29 15:20 ` Jason A. Donenfeld
2015-05-29 15:29 ` Dan Carpenter
2015-05-29 15:21 ` Jason A. Donenfeld
2015-05-29 11:06 ` [PATCH v3 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-29 11:07 ` [PATCH v3 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-29 11:07 ` [PATCH v3 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150526135635.GH11588@mwanda \
--to=dan.carpenter@oracle.com \
--cc=Jason@zx2c4.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.