lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20140720134913.13895140074@xenon.ts.pxnet.com>
Date:	Sun, 20 Jul 2014 15:49:12 +0200 (CEST)
From:	Tilman Schmidt <tilman@...p.cc>
To:	netdev@...r.kernel.org
CC:	David Miller <davem@...emloft.net>,
	Dan Carpenter <dan.carpenter@...cle.com>,
	Karsten Keil <isdn@...ux-pingi.de>,
	isdn4linux@...tserv.isdn4linux.de
Subject: [PATCH] isdn/capi: avoid index overrun from command_2_index()

The result of the function command_2_index() is used to index two
arrays mnames[] and cpars[] with max. index 0x4e but in its current
form that function can produce results up to 3*(0x9+0x9)+0x7f = 0xb5.
Legal values for the function's first argument (c) according to the
CAPI 2.0 standard are 0x00..0x08, 0x41, 0x80, 0x82..0x88, and 0xff.
This patch modifies command_2_index() in such a way that the result
is unchanged for legal values of c, and guaranteed to be less or
equal to 0x4e for any argument values.

Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
Signed-off-by: Tilman Schmidt <tilman@...p.cc>
---
 drivers/isdn/capi/capiutil.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/drivers/isdn/capi/capiutil.c b/drivers/isdn/capi/capiutil.c
index 6e797e5..b666d8b 100644
--- a/drivers/isdn/capi/capiutil.c
+++ b/drivers/isdn/capi/capiutil.c
@@ -201,15 +201,10 @@ static unsigned char *cpars[] =
 #define structTRcpyovl(x, y, l) memmove(y, x, l)
 
 /*-------------------------------------------------------*/
-static unsigned command_2_index(unsigned c, unsigned sc)
+static unsigned command_2_index(u8 c, u8 sc)
 {
-	if (c & 0x80)
+	if (c & 0xf0)
 		c = 0x9 + (c & 0x0f);
-	else if (c <= 0x0f);
-	else if (c == 0x41)
-		c = 0x9 + 0x1;
-	else if (c == 0xff)
-		c = 0x00;
 	return (sc & 3) * (0x9 + 0x9) + c;
 }
 
-- 
1.9.2.459.g68773ac

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ