Dear OpenBSD team, I would like to bring your attention to the following bug report from FreeBSD, where I have ported and imported the umb(4) driver recently: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284906
The bug report mentions: > if_umb.c calls umb_getinfobuf() with offs and size taken from messages > sent by the USB device. The "inlen >= offs + sz" check isn't > sufficient due to possible integer wrap. This can allow a broken or > malicious USB device to cause a buffer overflow. From my reading of the current version of the umb(4) driver in OpenBSD, ISTM that you are vulnerable to this issue as well. At the very least I would suggest to keep inlen and len unsigned throughout, and then I think there should be a check for integer overflow in umb_getinfobuf() as suggested. Thoughts? HTH, -- khorben
signature.asc
Description: Message signed with OpenPGP
