Date: Tue, 26 May 2015 16:32:21 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: "Jason A. Donenfeld" <Jason@...c4.com>, Shigekatsu Tateno <shigekatsu.tateno@...el.com> Cc: oss-security <oss-security@...ts.openwall.com>, linux-kernel@...r.kernel.org, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, devel@...verdev.osuosl.org Subject: Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote: > + data_len = elt->length - > sizeof(struct oz_get_desc_rsp) + 1; This was in the original code, but I wonder where the + 1 comes from. Does anyone know? To be honest, I would prefer if we just checked: if (elt->length < sizeof(struct oz_get_desc_rsp) + 1) return; data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1; Shouldn't there be an upper bound on length? Shigekatsu? regards, dan carpenter
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.