oss-sec mailing list archives

Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow

From: Dan Carpenter <dan.carpenter () oracle com>
Date: Tue, 26 May 2015 16:32:21 +0300

On Tue, May 26, 2015 at 02:17:46PM +0200, Jason A. Donenfeld wrote:

+                     data_len = elt->length -
                                      sizeof(struct oz_get_desc_rsp) + 1;


This was in the original code, but I wonder where the + 1 comes from.
Does anyone know?

To be honest, I would prefer if we just checked:

        if (elt->length < sizeof(struct oz_get_desc_rsp) + 1)
                return;
        data_len = elt->length - sizeof(struct oz_get_desc_rsp) + 1;

Shouldn't there be an upper bound on length?  Shigekatsu?

regards,
dan carpenter

Current thread:

Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities, (continued)
- - Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)
    - Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Greg KH (May 13)
    - [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)
    - [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 13)
    - Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow Greg Kroah-Hartman (May 24)
    - [PATCH 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 13)
    - [PATCH 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 13)
    - [PATCH 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 13)
    - [PATCH v2 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 26)
    - [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Jason A. Donenfeld (May 26)
    - Re: [PATCH v2 1/4] ozwpan: Use proper check to prevent heap overflow Dan Carpenter (May 26)
    - [PATCH v2 2/4] ozwpan: Use unsigned ints to prevent heap overflow Jason A. Donenfeld (May 26)
    - [PATCH v2 3/4] ozwpan: divide-by-zero leading to panic Jason A. Donenfeld (May 26)
    - [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Jason A. Donenfeld (May 26)
    - Re: [PATCH v2 4/4] ozwpan: unchecked signed subtraction leads to DoS Dan Carpenter (May 26)
- Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Solar Designer (May 13)
  - Re: [PATCH 0/4] ozwpan: Four remote packet-of-death vulnerabilities Jason A. Donenfeld (May 13)