| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180226150739.13457-3-andrew.smirnov@gmail.com>
Date: Mon, 26 Feb 2018 07:07:39 -0800
From: Andrey Smirnov <andrew.smirnov@...il.com>
To: Lee Jones <lee.jones@...aro.org>
Cc: Andrey Smirnov <andrew.smirnov@...il.com>,
linux-kernel@...r.kernel.org, cphealy@...il.com,
Lucas Stach <l.stach@...gutronix.de>,
Guenter Roeck <linux@...ck-us.net>
Subject: [PATCH 3/3] mfd: rave-sp: Check received frame length before accepting next byte
Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.
Cc: linux-kernel@...r.kernel.org
Cc: cphealy@...il.com
Cc: Lucas Stach <l.stach@...gutronix.de>
Cc: Lee Jones <lee.jones@...aro.org>
Cc: Guenter Roeck <linux@...ck-us.net>
Signed-off-by: Andrey Smirnov <andrew.smirnov@...il.com>
---
drivers/mfd/rave-sp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index cec1e309b31f..76fa32006a1b 100644
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -548,8 +548,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
/* FALLTHROUGH */
case RAVE_SP_EXPECT_ESCAPED_DATA:
- deframer->data[deframer->length++] = byte;
-
if (deframer->length == sizeof(deframer->data)) {
dev_warn(dev, "Bad frame: Too long\n");
/*
@@ -564,6 +562,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
goto reset_framer;
}
+ deframer->data[deframer->length++] = byte;
+
/*
* We've extracted out special byte, now we
* can go back to regular data collecting
--
2.14.3
Powered by blists - more mailing lists