On Fri, Feb 24, 2017 at 01:38:25PM +0000, Ben Hutchings wrote: > On Fri, 2017-02-24 at 09:25 +0100, Greg Kroah-Hartman wrote: > > 4.4-stable review patch. If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Johan Hovold <[email protected]> > > > > commit 2d380889215fe20b8523345649dee0579821800c upstream. > > > > Make sure to check for short transfers to avoid underflow in a loop > > condition when parsing the receive buffer. > > > > Also fix an off-by-one error in the incomplete sanity check which could > > lead to invalid data being parsed. > > This appears to *introduce* an off-by-one. Which is not as serious as > the underflow, but is still a regression. > > Suppose we have urb->actual_length == 4: > > [...] > > - for (i = 0; i < urb->actual_length - 3;) { > > i < 1 is true, so we would run the loop once. > > > - opcode = ((unsigned char *)urb->transfer_buffer)[i++]; > > - line = ((unsigned char *)urb->transfer_buffer)[i++]; > > - status = ((unsigned char *)urb->transfer_buffer)[i++]; > > - val = ((unsigned char *)urb->transfer_buffer)[i++]; > > + for (i = 0; i < urb->actual_length - 4; i += 4) { > > i < 0 is false, so we now skip the loop.
Good catch, thanks! The original loop condition was indeed correct (modulo the missing underflow check), and I'll post a follow-up fix to address this. > > + opcode = buf[i]; > > + line = buf[i + 1]; > > + status = buf[i + 2]; > > + val = buf[i + 3]; You should probably not apply this one until after the follow-up is in Linus' tree as this patch breaks TIOCMGET. Thanks, Johan
