From: Tilman Schmidt <tilman@imap.cc>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Hansjoerg Lipp <hjlipp@web.de>,
Karsten Keil <isdn@linux-pingi.de>,
gigaset307x-common@lists.sourceforge.net, netdev@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] isdn/gigaset: off by one check leading to oops
Date: Fri, 18 Jan 2013 12:18:00 +0000 [thread overview]
Message-ID: <50F93D78.5010903@imap.cc> (raw)
In-Reply-To: <20130117074405.GA26270@elgon.mountain>
[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]
Hi Dan,
Am 17.01.2013 08:44, schrieb Dan Carpenter:
> If l == 12 then later we subtract 12 leaving zero. We do a zero size
> allocation, so "dbgline" points to the ZERO_SIZE_PTR. It leads to an
> oops when we set the NUL terminator:
> dbgline[3 * l - 1] = '\0';
thanks for finding that bug, but NAK to your fix.
> @@ -239,7 +239,7 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
> return;
>
> l = CAPIMSG_LEN(data);
> - if (l < 12) {
> + if (l <= 12) {
> gig_dbg(level, "%s: ??? LEN=%04d", tag, l);
> return;
> }
CAPI messages of exactly 12 bytes are legal, and should be decoded
with the regular gig_dbg() call immediately after that hunk. It's
just the hex dump part that should be skipped in that case.
So I'd prefer to have it fixed this way instead:
@@ -248,6 +248,8 @@ static inline void dump_rawmsg(enum debuglevel
level, const char *tag,
CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l,
CAPIMSG_CONTROL(data));
l -= 12;
+ if (l <= 0)
+ return;
dbgline = kmalloc(3 * l, GFP_ATOMIC);
if (!dbgline)
return;
I'll prepare a patch of my own, citing you as reporter, if that's
ok with you.
Thanks,
Tilman
--
Tilman Schmidt E-Mail: tilman@imap.cc
Bonn, Germany
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Tilman Schmidt <tilman@imap.cc>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Hansjoerg Lipp <hjlipp@web.de>,
Karsten Keil <isdn@linux-pingi.de>,
gigaset307x-common@lists.sourceforge.net, netdev@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [patch] isdn/gigaset: off by one check leading to oops
Date: Fri, 18 Jan 2013 13:18:00 +0100 [thread overview]
Message-ID: <50F93D78.5010903@imap.cc> (raw)
In-Reply-To: <20130117074405.GA26270@elgon.mountain>
[-- Attachment #1: Type: text/plain, Size: 1487 bytes --]
Hi Dan,
Am 17.01.2013 08:44, schrieb Dan Carpenter:
> If l == 12 then later we subtract 12 leaving zero. We do a zero size
> allocation, so "dbgline" points to the ZERO_SIZE_PTR. It leads to an
> oops when we set the NUL terminator:
> dbgline[3 * l - 1] = '\0';
thanks for finding that bug, but NAK to your fix.
> @@ -239,7 +239,7 @@ static inline void dump_rawmsg(enum debuglevel level, const char *tag,
> return;
>
> l = CAPIMSG_LEN(data);
> - if (l < 12) {
> + if (l <= 12) {
> gig_dbg(level, "%s: ??? LEN=%04d", tag, l);
> return;
> }
CAPI messages of exactly 12 bytes are legal, and should be decoded
with the regular gig_dbg() call immediately after that hunk. It's
just the hex dump part that should be skipped in that case.
So I'd prefer to have it fixed this way instead:
@@ -248,6 +248,8 @@ static inline void dump_rawmsg(enum debuglevel
level, const char *tag,
CAPIMSG_APPID(data), CAPIMSG_MSGID(data), l,
CAPIMSG_CONTROL(data));
l -= 12;
+ if (l <= 0)
+ return;
dbgline = kmalloc(3 * l, GFP_ATOMIC);
if (!dbgline)
return;
I'll prepare a patch of my own, citing you as reporter, if that's
ok with you.
Thanks,
Tilman
--
Tilman Schmidt E-Mail: tilman@imap.cc
Bonn, Germany
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
next prev parent reply other threads:[~2013-01-18 12:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-17 7:44 [patch] isdn/gigaset: off by one check leading to oops Dan Carpenter
2013-01-17 7:44 ` Dan Carpenter
2013-01-18 12:18 ` Tilman Schmidt [this message]
2013-01-18 12:18 ` Tilman Schmidt
2013-01-18 12:26 ` Dan Carpenter
2013-01-18 12:26 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50F93D78.5010903@imap.cc \
--to=tilman@imap.cc \
--cc=dan.carpenter@oracle.com \
--cc=gigaset307x-common@lists.sourceforge.net \
--cc=hjlipp@web.de \
--cc=isdn@linux-pingi.de \
--cc=kernel-janitors@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.