Number: 106435
Category: usb
Synopsis: Possible buffer overflow in dev/usb/ums.c
Confidential: no
Severity: non-critical
Priority: medium
Responsible:freebsd-usb
State: open
Quarter:
Keywords:
Date-Required:
Class: sw-bug
Submitter-Id: current-users
Arrival-Date: Thu Dec 07 05:40:12 GMT 2006
Closed-Date:
Last-Modified:
Originator: Eygene Ryabinkin
Release:FreeBSD 6.2-PRERELEASE i386
Organization:
Code Labs
Environment:
System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #9: Tue Dec 5
09:10:06 MSK 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/XXX i386
Description:
Potential buffer overrun exists: sc-ibuf is allocated as
-
sc-sc_ibuf = malloc(sc-sc_isize, M_USB, M_NOWAIT);
-
in the attach handler, but interrupt handler always prints 6
bytes of sc-sc_isize:
-
DPRINTFN(5, (ums_intr: data = %02x %02x %02x %02x %02x %02x\n,
sc-sc_ibuf[0], sc-sc_ibuf[1], sc-sc_ibuf[2],
sc-sc_ibuf[3], sc-sc_ibuf[4], sc-sc_ibuf[5]));
-
This issue can be triggered only when USB_DEBUG is defined, so it does
not exist in the production mode.
How-To-Repeat:
Look into the /sys/dev/usb/ums.c code.
Fix:
The following patch will help:
--- ums.c.orig Tue Dec 5 13:29:34 2006
+++ ums.c Tue Dec 5 13:31:40 2006
@@ -431,9 +431,10 @@
#define UMS_BUT(i) ((i) 3 ? (((i) + 2) % 3) : (i))
DPRINTFN(5, (ums_intr: sc=%p status=%d\n, sc, status));
- DPRINTFN(5, (ums_intr: data = %02x %02x %02x %02x %02x %02x\n,
-sc-sc_ibuf[0], sc-sc_ibuf[1], sc-sc_ibuf[2],
-sc-sc_ibuf[3], sc-sc_ibuf[4], sc-sc_ibuf[5]));
+ DPRINTFN(5, (ums_intr: data =));
+ for (i = 0; i sc-sc_isize; i++)
+ DPRINTFN(5, ( %02x, sc-sc_ibuf[i]));
+ DPRINTFN(5, (\n));
if (status == USBD_CANCELLED)
return;
Release-Note:
Audit-Trail:
Unformatted:
___
freebsd-usb@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-usb
To unsubscribe, send any mail to [EMAIL PROTECTED]