The branch main has been updated by khorben:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5

commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5
Author:     Pierre Pronchery <khor...@freebsd.org>
AuthorDate: 2025-05-26 23:42:30 +0000
Commit:     Pierre Pronchery <khor...@freebsd.org>
CommitDate: 2025-05-29 13:07:54 +0000

    umb: avoid buffer overflow in umb_getinfobuf()
    
    umb_getinfobuf() is called with offs and size taken from messages sent
    by the USB device. The sanity check is not sufficient, due to a possible
    integer wrap. This can allow a broken or malicious USB device, or
    possibly the network operator, to cause a buffer overflow.
    
    This fix from Gerhard Roth was obtained after coordination upstream with
    OpenBSD. It converts the variables to 64-bit integers, which should
    mitigate the risk of overflows.
    
    PR:             284906
    Reported by:    Robert Morris <r...@lcs.mit.edu>
    Approved by:    philip (mentor)
    Sponsored by:   The FreeBSD Foundation
---
 sys/dev/usb/net/if_umb.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c
index 50f481973be0..a7d3bb764a2b 100644
--- a/sys/dev/usb/net/if_umb.c
+++ b/sys/dev/usb/net/if_umb.c
@@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, 
uint32_t sz,
 {
        offs = le32toh(offs);
        sz = le32toh(sz);
-       if (inlen >= offs + sz) {
-               memset(out, 0, outlen);
+       memset(out, 0, outlen);
+       if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz)
                memcpy(out, in + offs, MIN(sz, outlen));
-       }
 }
 
 static inline int

Reply via email to