oss-sec mailing list archives
Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow
From: Dan Carpenter <dan.carpenter () oracle com>
Date: Tue, 26 May 2015 16:32:21 +0300
On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:
+ data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;
This was in the original code, but I wonder where the + 1 comes from. Does anyone know? To be honest, I would prefer if we just checked: if (elt->length < sizeof(struct oz_get_desc_rsp) + 1) return; data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1; Shouldn't there be an upper bound on length? Shigekatsu? regards, dan carpenter
Current thread:
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities, (continued)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Greg KH (May 13)
- [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)
- [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 13)
- Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman (May 24)
- [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 13)
- [PATCH 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 13)
- [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 13)
- [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 26)
- [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 26)
- Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Dan Carpenter (May 26)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)
- [PATCH v2 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 26)
- [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 26)
- [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 26)
- Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Dan Carpenter (May 26)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)