[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 May 2015 16:32:21 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>,
Shigekatsu Tateno <shigekatsu.tateno@...el.com>
Cc: oss-security <oss-security@...ts.openwall.com>,
linux-kernel@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
devel@...verdev.osuosl.org
Subject: Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow
On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:
> + data_len = elt->length -
> sizeof(struct oz_get_desc_rsp) + 1;
This was in the original code, but I wonder where the + 1 comes from.
Does anyone know?
To be honest, I would prefer if we just checked:
if (elt->length < sizeof(struct oz_get_desc_rsp) + 1)
return;
data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;
Shouldn't there be an upper bound on length? Shigekatsu?
regards,
dan carpenter
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
