usb/106435: Possible buffer overflow in dev/usb/ums.c
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Wed Dec 6 21:40:24 PST 2006
>Number: 106435
>Category: usb
>Synopsis: Possible buffer overflow in dev/usb/ums.c
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-usb
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 07 05:40:12 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 6.2-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD XXX 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #9: Tue Dec 5 09:10:06 MSK 2006 root at XXX:/usr/obj/usr/src/sys/XXX i386
>Description:
Potential buffer overrun exists: sc->ibuf is allocated as
-----
sc->sc_ibuf = malloc(sc->sc_isize, M_USB, M_NOWAIT);
-----
in the attach handler, but interrupt handler always prints 6
bytes of sc->sc_isize:
-----
DPRINTFN(5, ("ums_intr: data = %02x %02x %02x %02x %02x %02x\n",
sc->sc_ibuf[0], sc->sc_ibuf[1], sc->sc_ibuf[2],
sc->sc_ibuf[3], sc->sc_ibuf[4], sc->sc_ibuf[5]));
-----
This issue can be triggered only when USB_DEBUG is defined, so it does
not exist in the production mode.
>How-To-Repeat:
Look into the /sys/dev/usb/ums.c code.
>Fix:
The following patch will help:
--- ums.c.orig Tue Dec 5 13:29:34 2006
+++ ums.c Tue Dec 5 13:31:40 2006
@@ -431,9 +431,10 @@
#define UMS_BUT(i) ((i) < 3 ? (((i) + 2) % 3) : (i))
DPRINTFN(5, ("ums_intr: sc=%p status=%d\n", sc, status));
- DPRINTFN(5, ("ums_intr: data = %02x %02x %02x %02x %02x %02x\n",
- sc->sc_ibuf[0], sc->sc_ibuf[1], sc->sc_ibuf[2],
- sc->sc_ibuf[3], sc->sc_ibuf[4], sc->sc_ibuf[5]));
+ DPRINTFN(5, ("ums_intr: data =));
+ for (i = 0; i < sc->sc_isize; i++)
+ DPRINTFN(5, (" %02x", sc->sc_ibuf[i]));
+ DPRINTFN(5, ("\n"));
if (status == USBD_CANCELLED)
return;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-usb
mailing list