[linux-usb-devel] Re: String buffer overflow (x2) bug in hid-core?

Fri, 03 May 2002 00:13:37 -0700 

On Fri, May 03, 2002 at 04:00:59PM +1000, Brad Hards wrote:
> G'day,
> 
> While backporting some stuff from 2.5/linuxconsole CVS to 2.4, I came across 
> some changes to the way the dev->name string is calculated. I think it can 
> lead to a one character overflow.
> 
> This is an extract from hid-core.c:usb_hid_configure()
> <extract>
>       hid->name[0] = 0;
> 
>         if (!(buf = kmalloc(64, GFP_KERNEL)))
>                 goto fail;
> 
>         if (usb_string(dev, dev->descriptor.iManufacturer, buf, 64) > 0) {
>                 strcat(hid->name, buf);
>                 if (usb_string(dev, dev->descriptor.iProduct, buf, 64) > 0)
>                         sprintf(hid->name, "%s %s", hid->name, buf);
>         } else
>                 sprintf(hid->name, "%04x:%04x", dev->descriptor.idVendor, 
> dev->descriptor.idProduct);
> </extract>
> 
> The problem is that name is 128 bytes, and given a manufacturer string and a 
> product string equal to or longer than 64 bytes, I think that the sprintf 
> will overrun the end of the structure.
> 
> The next part of that routine is
> <extract>
>         usb_make_path(dev, buf, 63);
>         sprintf(hid->phys, "%s/input%d", buf, ifnum);
> </extract>
> 
> I think that this will overrun too. If the path is longer than 55-47 
> bytes(depending on the magnitude of ifnum), then it could maybe overrun too.
> 
> A patch (that I hope addresses the problem) is attached. Let me know if I've 
> misunderstood the problem.
> 
> Please note - I can't boot 2.5.12, so this has only been tested for 
> compiliation. Please verify before forwarding.

The problem was that the 2.5 version used snprintf in place of sprintf,
but snprintf was missing from the kernel, and thus was replaced by
sprintf and the possible overflow introduced.

We can either fix it by changing the numbers to fit (but this is always
prone to similar bugs caused by changing the strings only), or changing
back to snprintf.

-- 
Vojtech Pavlik
SuSE Labs

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
[EMAIL PROTECTED]
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to