Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Dan Carpenter
On Fri, May 29, 2015 at 05:20:52PM +0200, Jason A. Donenfeld wrote: > On Fri, May 29, 2015 at 2:41 PM, Dan Carpenter > wrote: > > Acked-by: Dan Carpenter > > Acked for the rest of the set too? Yes. Thanks. regards, dan carpenter ___ devel mailing

Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Jason A. Donenfeld
On Fri, May 29, 2015 at 2:36 PM, Frans Klaver wrote: > > I would say that it is because part of the expression has been placed > inside parentheses: > > a - b + 1 == a - (b - 1) > > Guess it makes the decision logic slightly more readable. Yes, exactly this. It's so that the bounding check co

Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Jason A. Donenfeld
On Fri, May 29, 2015 at 2:41 PM, Dan Carpenter wrote: > Acked-by: Dan Carpenter Acked for the rest of the set too? ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Dan Carpenter
Oh. Duh. Of course. Acked-by: Dan Carpenter regards, dan carpenter ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Frans Klaver
Hi, On Fri, May 29, 2015 at 2:00 PM, Dan Carpenter wrote: > On Fri, May 29, 2015 at 01:06:58PM +0200, Jason A. Donenfeld wrote: >> --- a/drivers/staging/ozwpan/ozusbsvc1.c >> +++ b/drivers/staging/ozwpan/ozusbsvc1.c >> @@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt) >>

Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Dan Carpenter
On Fri, May 29, 2015 at 01:06:58PM +0200, Jason A. Donenfeld wrote: > --- a/drivers/staging/ozwpan/ozusbsvc1.c > +++ b/drivers/staging/ozwpan/ozusbsvc1.c > @@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt) > case OZ_GET_DESC_RSP: { > struct oz_ge

[PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow

2015-05-29 Thread Jason A. Donenfeld
Since elt->length is a u8, we can make this variable a u8. Then we can do proper bounds checking more easily. Without this, a potentially negative value is passed to the memcpy inside oz_hcd_get_desc_cnf, resulting in a remotely exploitable heap overflow with network supplied data. This could resu