On Thu, 2018-08-16 at 04:15 +0200, Jann Horn wrote:
> On Wed, Aug 15, 2018 at 10:44 PM Ben Hutchings
> <ben.hutchings@xxxxxxxxxxxxxxx> wrote:
[...]
> > @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file *file, const char __user *user_buffer,
> > retval = -EFAULT;
> > goto error;
> > }
> > + buffer[count] = 0;
> > memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE);
> >
> > switch (buffer[0]) {
>
> By the way: A little bit below here, there's some other line that looks bogus:
>
> > buffer[6] = CMD_EOF;
>
> AFAICS that should probably go into ->cntl_buffer; `buffer` and `data`
> aren't used below that point. But that'd just be a functional bug, not
> security-relevant, so I'm not sure whether anyone cares.
Yes I noticed that too. Since I can't test with the actual hardware, I
left it alone. For all I know, the firmware actually expects
CMD_PADDING and not CMD_EOF at the end of this command.
Ben.
--
Ben Hutchings, Software Developer Codethink Ltd
https://www.codethink.co.uk/ Dale House, 35 Dale Street
Manchester, M1 2HF, United Kingdom
