Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 26 May 2015 17:06:55 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
        linux-kernel@...r.kernel.org,
        Shigekatsu Tateno <shigekatsu.tateno@...el.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        devel@...verdev.osuosl.org
Subject: Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS

On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:
> diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
> index 8552053..1bde6aa 100644
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
>  			struct oz_multiple_fixed *body =
>  				(struct oz_multiple_fixed *)data_hdr;
>  			u8 *data = body->data;
> -			int n;
> +			unsigned int n;
>  			if (!body->unit_size)
>  				break;
>  			n = (len - sizeof(struct oz_multiple_fixed)+1)
>  				/ body->unit_size;
> +			if (n > len / body->unit_size)
> +				break;

You sure do like wrapping to a high value and testing the result for
wrapping instead of validating before doing the subtraction...

regards,
dan carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.