| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240812084312.14127-1-r.smirnov@omp.ru>
Date: Mon, 12 Aug 2024 11:43:11 +0300
From: Roman Smirnov <r.smirnov@....ru>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Breno Leitao <leitao@...ian.org>
CC: Roman Smirnov <r.smirnov@....ru>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, Karina Yankevich <k.yankevich@....ru>, Sergey
Shtylyov <s.shtylyov@....ru>, <lvc-project@...uxtesting.org>
Subject: [PATCH] drivers: net: bsd_comp: fix integer overflow in bsd_decompress()
The result of a bit shift has type int. If ibuf is greater than or
equal to 128, a sign switch will occur. After that, the higher 32
bits in accm will be set to 1.
Cast the result of the expression to unsigned long.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Signed-off-by: Roman Smirnov <r.smirnov@....ru>
---
drivers/net/ppp/bsd_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ppp/bsd_comp.c b/drivers/net/ppp/bsd_comp.c
index 55954594e157..078fe8c9bee8 100644
--- a/drivers/net/ppp/bsd_comp.c
+++ b/drivers/net/ppp/bsd_comp.c
@@ -918,7 +918,7 @@ static int bsd_decompress (void *state, unsigned char *ibuf, int isize,
*/
bitno -= 8;
- accm |= *ibuf++ << bitno;
+ accm |= (unsigned long)(*ibuf++) << bitno;
if (tgtbitno < bitno)
{
continue;
--
2.43.0
Powered by blists - more mailing lists