| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160130143455.GA3462@mwanda> Date: Sat, 30 Jan 2016 17:34:55 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Cc: Aaron Raimist <aaronraimist@...eup.net>, accessrunner-general@...ts.sourceforge.net, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: [patch] USB: cxacru: fix an bounds check warning This is a privileged operation so it doesn't matter much. We use "tmp" as an offset into an array. If it were invalid we could read out of bounds and trigger an oops if the memory is not mapped. Plus it makes static checkers complain. Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com> --- This changes the behavior a little bit because in the original we could give slightly invalid "len" values and the function would still work... Please review it extra carefully to make sure it doesn't break userspace. diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c index 1173f9c..0a866e9 100644 --- a/drivers/usb/atm/cxacru.c +++ b/drivers/usb/atm/cxacru.c @@ -476,6 +476,8 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev, return -EINVAL; if (index < 0 || index > 0x7f) return -EINVAL; + if (tmp < 0 || tmp > len - pos) + return -EINVAL; pos += tmp; /* skip trailing newline */
Powered by blists - more mailing lists