Dear OpenBSD team, I would like to bring your attention to the following bug report from FreeBSD, where I have ported and imported the umb(4) driver recently: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284904
The bug report mentions: > in_len2mask(mask, len) will write as many as len/8 bytes: > > for (i = 0; i < len / 8; i++) > p[i] = 0xff; > > len comes from a ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION > message from the USB device, and can be any uint32_t value. So a broken > or malicious USB device can cause a buffer overflow. I think that in reality, len comes from the network, which would make the issue marginally worse. Can you confirm the bug on your side, and would you have any suggestion as to how to fix it properly? I would suggest to make len an unsigned value in umb_decode_cid() and subsequent calls (infolen is unsigned in the first place there) but more importantly, to verify that prefixlen is at most 32. Does that make sense? HTH, -- khorben
signature.asc
Description: Message signed with OpenPGP
