On Wed, May 13, 2015 at 08:58:17PM +0200, Jason A. Donenfeld wrote:
Since elt-length is a u8, we can make this variable a u8. Then we can
do proper bounds checking more easily. Without this, a potentially
negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
resulting in a
On May 15, 2015 4:10 PM, David Laight david.lai...@aculab.com wrote:
Why not just check the length. eg:
unsigned int data_len = elt-length;
if (data_len sizeof(struct oz_get_desc_rsp) + 1)
break;
Sure.
Since elt-length is a u8, we can make this variable a u8. Then we can
do proper bounds checking more easily. Without this, a potentially
negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
resulting in a remotely exploitable heap overflow with network
supplied data.
This could