On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote: > 4.4-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Johan Hovold <[email protected]> > > commit 2d380889215fe20b8523345649dee0579821800c upstream. > > Make sure to check for short transfers to avoid underflow in a loop > condition when parsing the receive buffer. > > Also fix an off-by-one error in the incomplete sanity check which could > lead to invalid data being parsed.
This appears to *introduce* an off-by-one. Which is not as serious as
the underflow, but is still a regression.
Suppose we have urb->actual_length == 4:
[...]
> - for (i = 0; i < urb->actual_length - 3;) {
i < 1 is true, so we would run the loop once.
> - opcode = ((unsigned char *)urb->transfer_buffer)[i++];
> - line = ((unsigned char *)urb->transfer_buffer)[i++];
> - status = ((unsigned char *)urb->transfer_buffer)[i++];
> - val = ((unsigned char *)urb->transfer_buffer)[i++];
> + for (i = 0; i < urb->actual_length - 4; i += 4) {
i < 0 is false, so we now skip the loop.
> + opcode = buf[i];
> + line = buf[i + 1];
> + status = buf[i + 2];
> + val = buf[i + 3];
[...]
Ben.
--
Ben Hutchings
All the simple programs have been written, and all the good names
taken.
signature.asc
Description: This is a digitally signed message part
