Re: [bug report] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Dec 14, 2017 at 11:01:15AM -0700, Shuah Khan wrote:
> Hi Dan,
> 
> On 12/14/2017 12:58 AM, Dan Carpenter wrote:
> > Hello Shuah Khan,
> > 
> > The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
> > to handle malicious input" from Dec 7, 2017, leads to the following
> > static checker warning:
> > 
> >     drivers/usb/usbip/stub_rx.c:346 get_pipe()
> >     warn: impossible condition '(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) => (s32min-s32max > s32max)'
> >     drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
> >     warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => (s32min-s32max <= s32max)'
> > 
> > drivers/usb/usbip/stub_rx.c
> >    343          epd = &ep->desc;
> >    344  
> >    345          /* validate transfer_buffer_length */
> >    346          if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
> >                                       ^^^^^^^^^^^^^^^^^^^^^^
> > This is an int.
> 
> Yeah the check should have been against S32_MAX for the two checks
> in this patch.

TBH, I don't understand.

INT_MAX is always the same as S32_MAX on every arch (that wasn't always
true in ancient times but it's always true on linux arches).

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux