| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Jun 2015 10:58:52 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Rasmus Villemoes <linux@...musvillemoes.dk> Cc: linux-kernel@...r.kernel.org Subject: Re: isdn: pcbit: another off-by-one issue? On Wed, Jun 10, 2015 at 09:50:53PM +0200, Rasmus Villemoes wrote: > Hi Dan > > You were last to touch drivers/isdn/pcbit/drv.c (7bcc6738eef), but I > think there may still be an off-by-one in pcbit_set_msn: At the end of > the loop, sp is incremented by len, but if the string contained a comma, > sp will now point at that. At that point, we seem to be stuck in an > infinite loop where we'll always get cp==sp and len==0, until we run out > of memory. > > Am I reading this completely wrong? Nope. You're right. That bug has been there since before the start of git. We could fix it by doing: diff --git a/drivers/isdn/pcbit/drv.c b/drivers/isdn/pcbit/drv.c index 4172e22..b156d5b 100644 --- a/drivers/isdn/pcbit/drv.c +++ b/drivers/isdn/pcbit/drv.c @@ -1053,7 +1053,7 @@ static void pcbit_set_msn(struct pcbit_dev *dev, char *list) else back->next = ptr; back = ptr; - sp += len; + sp += len + 1; } while (cp); } regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists