Hi Dan,
On 12/14/2017 12:58 AM, Dan Carpenter wrote:
> Hello Shuah Khan,
>
> The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
> to handle malicious input" from Dec 7, 2017, leads to the following
> static checker warning:
>
> drivers/usb/usbip/stub_rx.c:346 get_pipe()
> warn: impossible condition '(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) => (s32min-s32max > s32max)'
> drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
> warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => (s32min-s32max <= s32max)'
>
> drivers/usb/usbip/stub_rx.c
> 343 epd = &ep->desc;
> 344
> 345 /* validate transfer_buffer_length */
> 346 if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
> ^^^^^^^^^^^^^^^^^^^^^^
> This is an int.
Yeah the check should have been against S32_MAX for the two checks
in this patch.
snip
> 483
> 484 /* allocate urb transfer buffer, if needed */
> 485 if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
> 486 pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
I will send a new version fixing the problem.
Greg, this patch is in usb-linus - would you like me to send a patch fixing
the warn or send v2 for this patch? I can go with whichever works the best
for you.
thanks,
-- Shuah
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
