[bug report] ti-st: potential overflow calling st_send_frame()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Pavan,

I was doing an audit for buffer overflows and I think there may be a
problem in the ti-st driver.

drivers/staging/ti-st/st_core.c +269
	st_int_recv(45) error: buffer overflow calling st_send_frame. param 0.  3 >= 3
   264                          case ST_BT_W4_DATA:
   265                                  pr_debug("Complete pkt received");
   266
   267                                  /* Ask ST CORE to forward
   268                                   * the packet to protocol driver */
   269                                  st_send_frame(protoid, st_gdata);
                                                      ^^^^^^^
I think this could be equal to ST_MAX (3) here.

   270
   271                                  st_gdata->rx_state = ST_W4_PACKET_TYPE;
   272                                  st_gdata->rx_skb = NULL;
   273                                  protoid = ST_MAX;       /* is this required ? */
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In st_send_frame() we check st_gdata->list[protoid] but ->list only has
ST_MAX elements so if protoid is ST_MAX we are one past the end of the
array.

regards,
dan carpenter

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux