Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>,
	Shigekatsu Tateno <shigekatsu.tateno@atmel.com>
Cc: oss-security <oss-security@lists.openwall.com>,
	linux-kernel@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	devel@driverdev.osuosl.org
Subject: Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow
Date: Tue, 26 May 2015 16:32:21 +0300	[thread overview]
Message-ID: <20150526133221.GG11588@mwanda> (raw)
In-Reply-To: <1432642669-7289-2-git-send-email-Jason@zx2c4.com>

On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:
> +			data_len = elt->length -
>  					sizeof(struct oz_get_desc_rsp) + 1;

This was in the original code, but I wonder where the + 1 comes from.
Does anyone know?

To be honest, I would prefer if we just checked:

	if (elt->length < sizeof(struct oz_get_desc_rsp) + 1)
		return;
	data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;

Shouldn't there be an upper bound on length?  Shigekatsu?

regards,
dan carpenter

next prev parent reply	other threads:[~2015-05-26 13:32 UTC|newest]

Thread overview: 42+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-13 18:33 [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-15 15:02   ` David Laight
     [not found]     ` <CAHmME9oA3AxBvAYyu38o4Teo3QBjvJZLzmiAv7RyThGbtv6zkw@mail.gmail.com>
2015-05-15 18:04       ` Jason A. Donenfeld
2015-05-16 10:20     ` Charles (Chas) Williams
2015-05-13 18:33 ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-13 18:43 ` [oss-security] [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Greg KH
2015-05-13 18:48   ` Jason A. Donenfeld
2015-05-13 18:53     ` Greg KH
2015-05-13 18:58       ` Jason A. Donenfeld
2015-05-13 18:58         ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-24 20:26           ` Greg Kroah-Hartman
2015-05-13 18:58         ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:58         ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:58         ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 12:17         ` [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-26 12:17           ` [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-26 13:32             ` Dan Carpenter [this message]
2015-05-26 13:49               ` Jason A. Donenfeld
2015-05-26 13:56                 ` Dan Carpenter
2015-05-26 14:58                   ` Jason A. Donenfeld
2015-05-26 12:17           ` [PATCH v2 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-26 12:17           ` [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-26 12:17           ` [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 14:06             ` Dan Carpenter
2015-05-26 14:34               ` [oss-security] " Jason A. Donenfeld
2015-05-28 11:04                 ` Dan Carpenter
2015-05-28 15:37                   ` Jason A. Donenfeld
2015-05-28 16:34                     ` Greg Kroah-Hartman
2015-05-29 11:06           ` [PATCH v3 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-29 11:06             ` [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-29 12:00               ` Dan Carpenter
2015-05-29 12:36                 ` Frans Klaver
2015-05-29 12:41                   ` Dan Carpenter
2015-05-29 15:20                     ` Jason A. Donenfeld
2015-05-29 15:29                       ` Dan Carpenter
2015-05-29 15:21                   ` Jason A. Donenfeld
2015-05-29 11:06             ` [PATCH v3 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-29 11:07             ` [PATCH v3 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-29 11:07             ` [PATCH v3 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150526133221.GG11588@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=Jason@zx2c4.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oss-security@lists.openwall.com \
    --cc=shigekatsu.tateno@atmel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox