oss-sec mailing list archives

Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS

From: Dan Carpenter <dan.carpenter () oracle com>
Date: Tue, 26 May 2015 17:06:55 +0300

On Tue, May 26, 2015 at 02:17:49PM +0200, Jason A. Donenfeld wrote:

diff --git a/drivers/staging/ozwpan/ozusbsvc1.c b/drivers/staging/ozwpan/ozusbsvc1.c
index 8552053..1bde6aa 100644
--- a/drivers/staging/ozwpan/ozusbsvc1.c
+++ b/drivers/staging/ozwpan/ozusbsvc1.c
@@ -326,11 +326,13 @@ static void oz_usb_handle_ep_data(struct oz_usb_ctx *usb_ctx,
                      struct oz_multiple_fixed *body =
                              (struct oz_multiple_fixed *)data_hdr;
                      u8 *data = body->data;
-                     int n;
+                     unsigned int n;
                      if (!body->unit_size)
                              break;
                      n = (len - sizeof(struct oz_multiple_fixed)+1)
                              / body->unit_size;
+                     if (n > len / body->unit_size)
+                             break;


You sure do like wrapping to a high value and testing the result for
wrapping instead of validating before doing the subtraction...

regards,
dan carpenter

Current thread:

Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow, (continued)
- - - Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman (May 24)
    - [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 13)
    - [PATCH 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 13)
    - [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 13)
    - [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 26)
    - [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 26)
    - Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Dan Carpenter (May 26)
    - [PATCH v2 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 26)
    - [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 26)
    - [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 26)
    - Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Dan Carpenter (May 26)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Solar Designer (May 13)
  - Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)