umb: avoid buffer overflow in umb_getinfobuf()
umb_getinfobuf() is called with offs and size taken from messages sent by the USB device. The sanity check is not sufficient, due to a possible integer wrap. This can allow a broken or malicious USB device, or possibly the network operator, to cause a buffer overflow. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284906 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation
This commit is contained in:
@@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz,
|
||||
{
|
||||
offs = le32toh(offs);
|
||||
sz = le32toh(sz);
|
||||
if (inlen >= offs + sz) {
|
||||
memset(out, 0, outlen);
|
||||
memset(out, 0, outlen);
|
||||
if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz)
|
||||
memcpy(out, in + offs, MIN(sz, outlen));
|
||||
}
|
||||
}
|
||||
|
||||
static inline int
|
||||
|
||||
Reference in New Issue
Block a user