| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Mar 2018 09:37:56 -0800
From: Andrey Smirnov <andrew.smirnov@...il.com>
To: Lee Jones <lee.jones@...aro.org>
Cc: Andrey Smirnov <andrew.smirnov@...il.com>,
linux-kernel@...r.kernel.org, cphealy@...il.com,
Lucas Stach <l.stach@...gutronix.de>,
Guenter Roeck <linux@...ck-us.net>
Subject: [PATCH v2 3/3] mfd: rave-sp: Check received frame length before accepting next byte
Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.
Cc: linux-kernel@...r.kernel.org
Cc: cphealy@...il.com
Cc: Lucas Stach <l.stach@...gutronix.de>
Cc: Lee Jones <lee.jones@...aro.org>
Cc: Guenter Roeck <linux@...ck-us.net>
Tested-by: Lucas Stach <l.stach@...gutronix.de>
Acked-for-MFD-by: Lee Jones <lee.jones@...aro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@...il.com>
---
drivers/mfd/rave-sp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index 5c1442fa2308..7db1b32d61e2 100644
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -546,8 +546,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
/* FALLTHROUGH */
case RAVE_SP_EXPECT_ESCAPED_DATA:
- deframer->data[deframer->length++] = byte;
-
if (deframer->length == sizeof(deframer->data)) {
dev_warn(dev, "Bad frame: Too long\n");
/*
@@ -562,6 +560,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
goto reset_framer;
}
+ deframer->data[deframer->length++] = byte;
+
/*
* We've extracted out special byte, now we
* can go back to regular data collecting
--
2.14.3
Powered by blists - more mailing lists