On Fri, May 29, 2015 at 05:20:52PM +0200, Jason A. Donenfeld wrote:
> On Fri, May 29, 2015 at 2:41 PM, Dan Carpenter
> wrote:
> > Acked-by: Dan Carpenter
>
> Acked for the rest of the set too?
Yes. Thanks.
regards,
dan carpenter
___
devel mailing
On Fri, May 29, 2015 at 2:36 PM, Frans Klaver wrote:
>
> I would say that it is because part of the expression has been placed
> inside parentheses:
>
> a - b + 1 == a - (b - 1)
>
> Guess it makes the decision logic slightly more readable.
Yes, exactly this. It's so that the bounding check co
On Fri, May 29, 2015 at 2:41 PM, Dan Carpenter wrote:
> Acked-by: Dan Carpenter
Acked for the rest of the set too?
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Oh. Duh. Of course.
Acked-by: Dan Carpenter
regards,
dan carpenter
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Hi,
On Fri, May 29, 2015 at 2:00 PM, Dan Carpenter wrote:
> On Fri, May 29, 2015 at 01:06:58PM +0200, Jason A. Donenfeld wrote:
>> --- a/drivers/staging/ozwpan/ozusbsvc1.c
>> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
>> @@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt)
>>
On Fri, May 29, 2015 at 01:06:58PM +0200, Jason A. Donenfeld wrote:
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt)
> case OZ_GET_DESC_RSP: {
> struct oz_ge
Since elt->length is a u8, we can make this variable a u8. Then we can
do proper bounds checking more easily. Without this, a potentially
negative value is passed to the memcpy inside oz_hcd_get_desc_cnf,
resulting in a remotely exploitable heap overflow with network
supplied data.
This could resu