* [PATCH] sdio: Read buffer overflow @ 2009-08-07 15:15 Roel Kluin 2009-08-07 16:45 ` David Vrabel 0 siblings, 1 reply; 3+ messages in thread From: Roel Kluin @ 2009-08-07 15:15 UTC (permalink / raw) To: drzeus, LKML, Andrew Morton If the loop breaks with an index of 0, then we read before the array. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> --- diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c index 963f293..0f8853c 100644 --- a/drivers/mmc/core/sdio_cis.c +++ b/drivers/mmc/core/sdio_cis.c @@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, nr_strings++; } - if (buf[i-1] != '\0') { + if (i != 0 && buf[i-1] != '\0') { printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n"); return 0; } ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] sdio: Read buffer overflow 2009-08-07 15:15 [PATCH] sdio: Read buffer overflow Roel Kluin @ 2009-08-07 16:45 ` David Vrabel 2009-08-07 17:42 ` Roel Kluin 0 siblings, 1 reply; 3+ messages in thread From: David Vrabel @ 2009-08-07 16:45 UTC (permalink / raw) To: Roel Kluin; +Cc: drzeus, LKML, Andrew Morton Roel Kluin wrote: > If the loop breaks with an index of 0, then we read before the array. This isn't a helpful subject or changelog comment really. Suggest sdio: avoid buffer underrun when parsing an invalid CISTPL_VERS_1 > Signed-off-by: Roel Kluin <roel.kluin@gmail.com> > --- > diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c > index 963f293..0f8853c 100644 > --- a/drivers/mmc/core/sdio_cis.c > +++ b/drivers/mmc/core/sdio_cis.c > @@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, > nr_strings++; > } > > - if (buf[i-1] != '\0') { > + if (i != 0 && buf[i-1] != '\0') { Looking at the PC Card 8.0 spec (vol 4, section 3.2.10) this test could simply be: if (nr_strings < 4) { > printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n"); > return 0; > } -- David Vrabel, Senior Software Engineer, Drivers CSR, Churchill House, Cambridge Business Park, Tel: +44 (0)1223 692562 Cowley Road, Cambridge, CB4 0WZ http://www.csr.com/ 'member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom' ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] sdio: Read buffer overflow 2009-08-07 16:45 ` David Vrabel @ 2009-08-07 17:42 ` Roel Kluin 0 siblings, 0 replies; 3+ messages in thread From: Roel Kluin @ 2009-08-07 17:42 UTC (permalink / raw) To: David Vrabel; +Cc: drzeus, LKML, Andrew Morton sdio: avoid buffer underrun when parsing an invalid CISTPL_VERS_1 Signed-off-by: Roel Kluin <roel.kluin@gmail.com> --- Thanks for comments, diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c index 963f293..6636354 100644 --- a/drivers/mmc/core/sdio_cis.c +++ b/drivers/mmc/core/sdio_cis.c @@ -40,7 +40,7 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, nr_strings++; } - if (buf[i-1] != '\0') { + if (nr_strings < 4) { printk(KERN_WARNING "SDIO: ignoring broken CISTPL_VERS_1\n"); return 0; } ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-08-07 17:39 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-08-07 15:15 [PATCH] sdio: Read buffer overflow Roel Kluin 2009-08-07 16:45 ` David Vrabel 2009-08-07 17:42 ` Roel Kluin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox