From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: oss-security <oss-security@lists.openwall.com>,
linux-kernel@vger.kernel.org,
Shigekatsu Tateno <shigekatsu.tateno@atmel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
devel@driverdev.osuosl.org
Subject: Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS
Date: Tue, 26 May 2015 17:06:55 +0300 [thread overview]
Message-ID: <20150526140654.GI11588@mwanda> (raw)
In-Reply-To: <1432642669-7289-5-git-send-email-Jason@zx2c4.com>
On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:
> diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
> index 8552053..1bde6aa 100644
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
> struct oz_multiple_fixed *body =
> (struct oz_multiple_fixed *)data_hdr;
> u8 *data = body->data;
> - int n;
> + unsigned int n;
> if (!body->unit_size)
> break;
> n = (len - sizeof(struct oz_multiple_fixed)+1)
> / body->unit_size;
> + if (n > len / body->unit_size)
> + break;
You sure do like wrapping to a high value and testing the result for
wrapping instead of validating before doing the subtraction...
regards,
dan carpenter
next prev parent reply other threads:[~2015-05-26 14:07 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-13 18:33 [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-15 15:02 ` David Laight
[not found] ` <CAHmME9oA3AxBvAYyu38o4Teo3QBjvJZLzmiAv7RyThGbtv6zkw@mail.gmail.com>
2015-05-15 18:04 ` Jason A. Donenfeld
2015-05-16 10:20 ` Charles (Chas) Williams
2015-05-13 18:33 ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:33 ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-13 18:43 ` [oss-security] [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Greg KH
2015-05-13 18:48 ` Jason A. Donenfeld
2015-05-13 18:53 ` Greg KH
2015-05-13 18:58 ` Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-24 20:26 ` Greg Kroah-Hartman
2015-05-13 18:58 ` [PATCH 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-13 18:58 ` [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-26 13:32 ` Dan Carpenter
2015-05-26 13:49 ` Jason A. Donenfeld
2015-05-26 13:56 ` Dan Carpenter
2015-05-26 14:58 ` Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-26 12:17 ` [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
2015-05-26 14:06 ` Dan Carpenter [this message]
2015-05-26 14:34 ` [oss-security] " Jason A. Donenfeld
2015-05-28 11:04 ` Dan Carpenter
2015-05-28 15:37 ` Jason A. Donenfeld
2015-05-28 16:34 ` Greg Kroah-Hartman
2015-05-29 11:06 ` [PATCH v3 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld
2015-05-29 11:06 ` [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld
2015-05-29 12:00 ` Dan Carpenter
2015-05-29 12:36 ` Frans Klaver
2015-05-29 12:41 ` Dan Carpenter
2015-05-29 15:20 ` Jason A. Donenfeld
2015-05-29 15:29 ` Dan Carpenter
2015-05-29 15:21 ` Jason A. Donenfeld
2015-05-29 11:06 ` [PATCH v3 2/4] ozwpan: Use unsigned ints " Jason A. Donenfeld
2015-05-29 11:07 ` [PATCH v3 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld
2015-05-29 11:07 ` [PATCH v3 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150526140654.GI11588@mwanda \
--to=dan.carpenter@oracle.com \
--cc=Jason@zx2c4.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oss-security@lists.openwall.com \
--cc=shigekatsu.tateno@atmel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox