On Thu, Dec 14, 2017 at 11:01:15AM -0700, Shuah Khan wrote:
> Hi Dan,
>
> On 12/14/2017 12:58 AM, Dan Carpenter wrote:
> > Hello Shuah Khan,
> >
> > The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
> > to handle malicious input" from Dec 7, 2017, leads to the following
> > static checker warning:
> >
> > drivers/usb/usbip/stub_rx.c:346 get_pipe()
> > warn: impossible condition '(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) => (s32min-s32max > s32max)'
> > drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
> > warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => (s32min-s32max <= s32max)'
> >
> > drivers/usb/usbip/stub_rx.c
> > 343 epd = &ep->desc;
> > 344
> > 345 /* validate transfer_buffer_length */
> > 346 if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
> > ^^^^^^^^^^^^^^^^^^^^^^
> > This is an int.
>
> Yeah the check should have been against S32_MAX for the two checks
> in this patch.
>
> snip
> > 483
> > 484 /* allocate urb transfer buffer, if needed */
> > 485 if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
> > 486 pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
>
> I will send a new version fixing the problem.
>
> Greg, this patch is in usb-linus - would you like me to send a patch fixing
> the warn or send v2 for this patch? I can go with whichever works the best
> for you.
A patch to fix the issue, I can't rebase the tree.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
