umb: avoid buffer overflow in umb_getinfobuf()

umb_getinfobuf() is called with offs and size taken from messages sent
by the USB device. The sanity check is not sufficient, due to a possible
integer wrap. This can allow a broken or malicious USB device, or
possibly the network operator, to cause a buffer overflow.

This fix from Gerhard Roth was obtained after coordination upstream with
OpenBSD. It converts the variables to 64-bit integers, which should
mitigate the risk of overflows.

PR:             284906
Reported by:    Robert Morris <rtm@lcs.mit.edu>
Approved by:	philip (mentor)
Sponsored by:   The FreeBSD Foundation
This commit is contained in:
Pierre Pronchery
2025-05-27 01:42:30 +02:00
parent 5ed36e2e17
commit 152bb8e302
+2 -3
View File
@@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz,
{
offs = le32toh(offs);
sz = le32toh(sz);
if (inlen >= offs + sz) {
memset(out, 0, outlen);
memset(out, 0, outlen);
if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz)
memcpy(out, in + offs, MIN(sz, outlen));
}
}
static inline int