| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Mar 2016 08:54:10 +0000 From: "Narsimhulu Musini (nmusini)" <nmusini@...co.com> To: Colin King <colin.king@...onical.com>, "Sesidhar Baddela (sebaddel)" <sebaddel@...co.com>, "James E . J . Bottomley" <JBottomley@...n.com>, "Martin K . Petersen" <martin.petersen@...cle.com>, "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org> CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] snic: correctly check for array overrun on overly long version number On 26/02/16 4:28 am, "Colin King" <colin.king@...onical.com> wrote: >From: Colin Ian King <colin.king@...onical.com> > >The snic version number is expected to be 4 decimals in the form like >a netmask string with each number stored in an element in array v. >However, there is an off-by-one check on the number of elements in v >allowing one to pass a 5 decimal version number causing v[4] to be >referenced, causing a buffer overrun. Fix the off-by-one error by >comparing to i > 3 rather than 4. Acked-by: Narsimhulu Musini <nmusini@...co.com> > >Signed-off-by: Colin Ian King <colin.king@...onical.com> >--- > drivers/scsi/snic/snic_ctl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/drivers/scsi/snic/snic_ctl.c b/drivers/scsi/snic/snic_ctl.c >index aebe753..ab0e06b 100644 >--- a/drivers/scsi/snic/snic_ctl.c >+++ b/drivers/scsi/snic/snic_ctl.c >@@ -75,7 +75,7 @@ snic_ver_enc(const char *s) > continue; > } > >- if (i > 4 || !isdigit(c)) >+ if (i > 3 || !isdigit(c)) > goto end; > > v[i] = v[i] * 10 + (c - '0'); >-- >2.7.0 >
Powered by blists - more mailing lists