lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20180308173756.13787-3-andrew.smirnov@gmail.com>
Date:   Thu,  8 Mar 2018 09:37:56 -0800
From:   Andrey Smirnov <andrew.smirnov@...il.com>
To:     Lee Jones <lee.jones@...aro.org>
Cc:     Andrey Smirnov <andrew.smirnov@...il.com>,
        linux-kernel@...r.kernel.org, cphealy@...il.com,
        Lucas Stach <l.stach@...gutronix.de>,
        Guenter Roeck <linux@...ck-us.net>
Subject: [PATCH v2 3/3] mfd: rave-sp: Check received frame length before accepting next byte

Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.

Cc: linux-kernel@...r.kernel.org
Cc: cphealy@...il.com
Cc: Lucas Stach <l.stach@...gutronix.de>
Cc: Lee Jones <lee.jones@...aro.org>
Cc: Guenter Roeck <linux@...ck-us.net>
Tested-by: Lucas Stach <l.stach@...gutronix.de>
Acked-for-MFD-by: Lee Jones <lee.jones@...aro.org>
Signed-off-by: Andrey Smirnov <andrew.smirnov@...il.com>
---
 drivers/mfd/rave-sp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index 5c1442fa2308..7db1b32d61e2 100644
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -546,8 +546,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
 			/* FALLTHROUGH */
 
 		case RAVE_SP_EXPECT_ESCAPED_DATA:
-			deframer->data[deframer->length++] = byte;
-
 			if (deframer->length == sizeof(deframer->data)) {
 				dev_warn(dev, "Bad frame: Too long\n");
 				/*
@@ -562,6 +560,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
 				goto reset_framer;
 			}
 
+			deframer->data[deframer->length++] = byte;
+
 			/*
 			 * We've extracted out special byte, now we
 			 * can go back to regular data collecting
-- 
2.14.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ