* [PATCH] sdio: Read buffer overflow
@ 2009-08-07 15:15 Roel Kluin
2009-08-07 16:45 ` David Vrabel
0 siblings, 1 reply; 3+ messages in thread
From: Roel Kluin @ 2009-08-07 15:15 UTC (permalink / raw)
To: drzeus, LKML, Andrew Morton
If the loop breaks with an index of 0, then we read before the array.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
index 963f293..0f8853c 100644
--- a/drivers/mmc/core/sdio_cis.c
+++ b/drivers/mmc/core/sdio_cis.c
@@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
nr_strings++;
}
- if (buf[i-1] != '\0') {
+ if (i != 0 && buf[i-1] != '\0') {
printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n");
return 0;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] sdio: Read buffer overflow
2009-08-07 15:15 [PATCH] sdio: Read buffer overflow Roel Kluin
@ 2009-08-07 16:45 ` David Vrabel
2009-08-07 17:42 ` Roel Kluin
0 siblings, 1 reply; 3+ messages in thread
From: David Vrabel @ 2009-08-07 16:45 UTC (permalink / raw)
To: Roel Kluin; +Cc: drzeus, LKML, Andrew Morton
Roel Kluin wrote:
> If the loop breaks with an index of 0, then we read before the array.
This isn't a helpful subject or changelog comment really. Suggest
sdio: avoid buffer underrun when parsing an invalid CISTPL_VERS_1
> Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
> ---
> diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
> index 963f293..0f8853c 100644
> --- a/drivers/mmc/core/sdio_cis.c
> +++ b/drivers/mmc/core/sdio_cis.c
> @@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
> nr_strings++;
> }
>
> - if (buf[i-1] != '\0') {
> + if (i != 0 && buf[i-1] != '\0') {
Looking at the PC Card 8.0 spec (vol 4, section 3.2.10) this test could
simply be:
if (nr_strings < 4) {
> printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n");
> return 0;
> }
--
David Vrabel, Senior Software Engineer, Drivers
CSR, Churchill House, Cambridge Business Park, Tel: +44 (0)1223 692562
Cowley Road, Cambridge, CB4 0WZ http://www.csr.com/
'member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom'
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] sdio: Read buffer overflow
2009-08-07 16:45 ` David Vrabel
@ 2009-08-07 17:42 ` Roel Kluin
0 siblings, 0 replies; 3+ messages in thread
From: Roel Kluin @ 2009-08-07 17:42 UTC (permalink / raw)
To: David Vrabel; +Cc: drzeus, LKML, Andrew Morton
sdio: avoid buffer underrun when parsing an invalid CISTPL_VERS_1
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
Thanks for comments,
diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c
index 963f293..6636354 100644
--- a/drivers/mmc/core/sdio_cis.c
+++ b/drivers/mmc/core/sdio_cis.c
@@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func,
nr_strings++;
}
- if (buf[i-1] != '\0') {
+ if (nr_strings < 4) {
printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n");
return 0;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-08-07 17:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-07 15:15 [PATCH] sdio: Read buffer overflow Roel Kluin
2009-08-07 16:45 ` David Vrabel
2009-08-07 17:42 ` Roel Kluin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox