On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Johan Hovold <johan@xxxxxxxxxx> > > commit 2d380889215fe20b8523345649dee0579821800c upstream. > > Make sure to check for short transfers to avoid underflow in a loop > condition when parsing the receive buffer. > > Also fix an off-by-one error in the incomplete sanity check which could > lead to invalid data being parsed. This appears to *introduce* an off-by-one. Which is not as serious as the underflow, but is still a regression. Suppose we have urb->actual_length == 4: [...] > - for (i = 0; i < urb->actual_length - 3;) { i < 1 is true, so we would run the loop once. > - opcode = ((unsigned char *)urb->transfer_buffer)[i++]; > - line = ((unsigned char *)urb->transfer_buffer)[i++]; > - status = ((unsigned char *)urb->transfer_buffer)[i++]; > - val = ((unsigned char *)urb->transfer_buffer)[i++]; > + for (i = 0; i < urb->actual_length - 4; i += 4) { i < 0 is false, so we now skip the loop. > + opcode = buf[i]; > + line = buf[i + 1]; > + status = buf[i + 2]; > + val = buf[i + 3]; [...] Ben. -- Ben Hutchings All the simple programs have been written, and all the good names taken.
Attachment:
signature.asc
Description: This is a digitally signed message part