| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5315FA3B.8020700@alten.se> Date: Tue, 4 Mar 2014 17:07:23 +0100 From: Arvid Brodin <arvid.brodin@...en.se> To: Dave Jones <davej@...hat.com> CC: <netdev@...r.kernel.org> Subject: Re: out of bounds writes in net/hsr/ On 2014-03-04 04:27, Dave Jones wrote: > I found this in coverity, and I think it's a real bug.. > > hsr_register_frame_in does a check that dev_idx is between 0 and 2, > therefore, a dev_idx of 2 is possible when it gets to the array writes > at the end of the function. Thanks for finding this; it is a bug (although I don't think it has actually lead to any out of bound accesses). However, I think you are a bit late - I believe this was fixed in a patch from Dan Carpenter just a few days ago. See http://www.spinics.net/lists/netdev/msg272815.html > #define HSR_MAX_DEV (HSR_DEV_MASTER + 1) > > The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't > figure out why it's there. > > Dave > Yes, maybe the names are a bit misleading, and they should be called something like HSR_DEVS and HSR_SLAVES instead. I.e.: some-type array-name[HSR_DEVS]; ... where the last element is accessed by array-name[HSR_MAX_DEV]. -- Arvid Brodin | Consultant (Linux) ALTEN | Knarrarnäsgatan 7 | SE-164 40 Kista | Sweden arvid.brodin@...en.se | www.alten.se/en/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists