oss-sec mailing list archives
Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS
From: Dan Carpenter <dan.carpenter () oracle com>
Date: Tue, 26 May 2015 17:06:55 +0300
On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:
diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c index 8552053..1bde6aa 100644 --- a/drivers/staging/ozwpan/ozusbsvc1.c +++ b/drivers/staging/ozwpan/ozusbsvc1.c @@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx, struct oz_multiple_fixed *body = (struct oz_multiple_fixed *)data_hdr; u8 *data = body->data; - int n; + unsigned int n; if (!body->unit_size) break; n = (len - sizeof(struct oz_multiple_fixed)+1) / body->unit_size; + if (n > len / body->unit_size) + break;
You sure do like wrapping to a high value and testing the result for wrapping instead of validating before doing the subtraction... regards, dan carpenter
Current thread:
- Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow, (continued)
- Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman (May 24)
- [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 13)
- [PATCH 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 13)
- [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 13)
- [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 26)
- [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 26)
- Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Dan Carpenter (May 26)
- [PATCH v2 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 26)
- [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 26)
- [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 26)
- Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Dan Carpenter (May 26)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)