On 12/14/2017 01:16 PM, Dan Carpenter wrote:
> On Thu, Dec 14, 2017 at 11:01:15AM -0700, Shuah Khan wrote:
>> Hi Dan,
>>
>> On 12/14/2017 12:58 AM, Dan Carpenter wrote:
>>> Hello Shuah Khan,
>>>
>>> The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
>>> to handle malicious input" from Dec 7, 2017, leads to the following
>>> static checker warning:
>>>
>>> drivers/usb/usbip/stub_rx.c:346 get_pipe()
>>> warn: impossible condition '(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) => (s32min-s32max > s32max)'
>>> drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
>>> warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) => (s32min-s32max <= s32max)'
>>>
>>> drivers/usb/usbip/stub_rx.c
>>> 343 epd = &ep->desc;
>>> 344
>>> 345 /* validate transfer_buffer_length */
>>> 346 if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
>>> ^^^^^^^^^^^^^^^^^^^^^^
>>> This is an int.
>>
>> Yeah the check should have been against S32_MAX for the two checks
>> in this patch.
>
> TBH, I don't understand.
>
Yeah. I didn't make any sense there. Anyway, I have to check against
a reasonable max value for this protocol. I will send a fix.
thanks,
-- Shuah
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
