Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow

On Wed, May 13, 2015 at 08:58:17PM +0200, Jason A. Donenfeld wrote: > Since elt->length is a u8, we can make this variable a u8. Then we can > do proper bounds checking more easily. Without this, a potentially > negative value is passed to the memcpy inside oz_hcd_get_desc_cnf, > resulting in a rem

Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow

On May 15, 2015 4:10 PM, "David Laight" wrote: > Why not just check the length. eg: > unsigned int data_len = elt->length; > if (data_len < sizeof(struct oz_get_desc_rsp) + 1) > break; Sure. > >