From: Simon Arlott <simon@fire.lp0.eu>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 2/8] cxacru: check data length is not negative
Date: Sat, 21 Nov 2009 15:07:14 +0000 [thread overview]
Message-ID: <4B080222.50403@simon.arlott.org.uk> (raw)
In-Reply-To: <4B08013B.90403@simon.arlott.org.uk>
When attempting to read data that is not actually
an array of values, the length may be negative
which causes an Oops due to a likely access off
the end of the data array.
This bug should not occur under normal use unless
the device returns an invalid response.
Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
---
drivers/usb/atm/cxacru.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
index 4a26a6c..8da4a06 100644
--- a/drivers/usb/atm/cxacru.c
+++ b/drivers/usb/atm/cxacru.c
@@ -596,7 +596,7 @@ static int cxacru_cm_get_array(struct cxacru_data *instance, enum cxacru_cm_requ
len = ret / 4;
for (offb = 0; offb < len; ) {
int l = le32_to_cpu(buf[offb++]);
- if (l > stride || l > (len - offb) / 2) {
+ if (l < 0 || l > stride || l > (len - offb) / 2) {
if (printk_ratelimit())
usb_err(instance->usbatm, "invalid data length from cm %#x: %d\n",
cm, l);
--
1.6.3.3
--
Simon Arlott
next prev parent reply other threads:[~2009-11-21 15:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-21 15:03 [PATCH 1/8] cxacru: return an empty value for modulation if there is no connection Simon Arlott
2009-11-21 15:07 ` Simon Arlott [this message]
2009-11-21 15:12 ` [PATCH 3/8] cxacru: check device isn't being removed during sysfs calls Simon Arlott
2009-11-21 15:24 ` Duncan Sands
2009-11-21 15:29 ` Simon Arlott
2009-11-21 15:33 ` [PATCH 3/8 (v2)] " Simon Arlott
2009-11-21 15:12 ` [PATCH 4/8] cxacru: document how to interact with the flash memory Simon Arlott
2009-11-21 15:12 ` [PATCH 5/8] cxacru: firmware writes on OHCI are slow, log progress Simon Arlott
2009-11-21 15:14 ` [PATCH 6/8] cxacru: add write-only sysfs attribute for modem configuration Simon Arlott
2009-11-21 15:15 ` [PATCH 7/8] cxacru: remove cxacru-cf.bin loader Simon Arlott
2009-11-21 15:16 ` [PATCH 8/8] cxacru: increment driver version Simon Arlott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B080222.50403@simon.arlott.org.uk \
--to=simon@fire.lp0.eu \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.