| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20170504123623.GB26032@kuha.fi.intel.com>
Date: Thu, 4 May 2017 15:36:23 +0300
From: Heikki Krogerus <heikki.krogerus@...ux.intel.com>
To: Maksim Salau <maksim.salau@...il.com>
Cc: Juergen Stuber <starblue@...rs.sourceforge.net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
legousb-devel@...ts.sourceforge.net, linux-usb@...r.kernel.org,
linux-kernel@...r.kernel.org,
Alfredo Rafael Vicente Boix <alviboi@...il.com>
Subject: Re: [PATCH v3] usb: misc: legousbtower: Fix buffers on stack
Hi Maksim,
Sorry for commenting this so late but..
On Tue, Apr 25, 2017 at 10:49:21PM +0300, Maksim Salau wrote:
> @@ -806,7 +814,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
> struct device *idev = &interface->dev;
> struct usb_device *udev = interface_to_usbdev(interface);
> struct lego_usb_tower *dev = NULL;
> - struct tower_get_version_reply get_version_reply;
> + struct tower_get_version_reply *get_version_reply = NULL;
> int retval = -ENOMEM;
> int result;
>
> @@ -871,6 +879,13 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
> dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
> dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
>
> + get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
> +
> + if (!get_version_reply) {
> + retval = -ENOMEM;
> + goto error;
> + }
> +
> /* get the firmware version and log it */
> result = usb_control_msg (udev,
> usb_rcvctrlpipe(udev, 0),
> @@ -878,18 +893,19 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
> USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
> 0,
> 0,
> - &get_version_reply,
> - sizeof(get_version_reply),
> + get_version_reply,
> + sizeof(*get_version_reply),
> 1000);
> if (result < 0) {
> dev_err(idev, "LEGO USB Tower get version control request failed\n");
> retval = result;
> goto error;
> }
> - dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
> - "build %d\n", get_version_reply.major,
> - get_version_reply.minor,
> - le16_to_cpu(get_version_reply.build_no));
> + dev_info(&interface->dev,
> + "LEGO USB Tower firmware version is %d.%d build %d\n",
> + get_version_reply->major,
> + get_version_reply->minor,
> + le16_to_cpu(get_version_reply->build_no));
>
> /* we can register the device now, as it is ready */
> usb_set_intfdata (interface, dev);
> @@ -913,6 +929,7 @@ static int tower_probe (struct usb_interface *interface, const struct usb_device
Don't you need to free get_version_reply here?
> return retval;
>
> error:
> + kfree(get_version_reply);
> tower_delete(dev);
> return retval;
> }
Thanks,
--
heikki
Powered by blists - more mailing lists