Re: CVS commit: src/sys/dev/usb

[Roy Marples]

On 22/03/2020 08:30, Maxime Villard wrote:

Overall "From OpenBSD" is a redflag for buggy and vulnerable code..


We should be above this, no software is perfect, not even ours.

Roy

Re: CVS import: src/external/broadcom/bwfm/dist

[Jason Thorpe]

> On Mar 22, 2020, at 12:00 PM, Jason R Thorpe  wrote:
> 
> 3 conflicts created by this import.

Note: These are false conflicts that are the result of the files being "cvs 
add"ed rather than imported originally.  I verified before the import that all 
files that we currently distribute are identical to versions in the current 
linux-firmware snapshot.

-- thorpej

Re: CVS commit: src/sys/dev/usb

[Maxime Villard]

Le 19/03/2020 à 08:49, Pierre Pronchery a écrit :
> Module Name:  src
> Committed By: khorben
> Date: Thu Mar 19 07:49:29 UTC 2020
> 
> Modified Files:
>   src/sys/dev/usb: if_umb.c
> 
> Log Message:
> When there is no network around the state timeout fires over and over again.
> Change the printf into a log and only under IFF_DEBUG to reduce dmesg spam.
> Loudly requested by beck@ OK deraadt@

FWIW, there is a number of potentially exploitable bugs in this driver,
and they have been in my todo list for three months.

Eg, follow umb_decode_response(), there are integer overflows that can
trigger actual buffer overflows. Would you be interested in fixing the
vulns?

> From OpenBSD.

Overall "From OpenBSD" is a redflag for buggy and vulnerable code..

Maxime