git: 152bb8e30204 - main - umb: avoid buffer overflow in umb_getinfobuf()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 29 May 2025 13:09:52 UTC
The branch main has been updated by khorben: URL: https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5 commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5 Author: Pierre Pronchery <khorben@FreeBSD.org> AuthorDate: 2025-05-26 23:42:30 +0000 Commit: Pierre Pronchery <khorben@FreeBSD.org> CommitDate: 2025-05-29 13:07:54 +0000 umb: avoid buffer overflow in umb_getinfobuf() umb_getinfobuf() is called with offs and size taken from messages sent by the USB device. The sanity check is not sufficient, due to a possible integer wrap. This can allow a broken or malicious USB device, or possibly the network operator, to cause a buffer overflow. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284906 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation --- sys/dev/usb/net/if_umb.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c index 50f481973be0..a7d3bb764a2b 100644 --- a/sys/dev/usb/net/if_umb.c +++ b/sys/dev/usb/net/if_umb.c @@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz, { offs = le32toh(offs); sz = le32toh(sz); - if (inlen >= offs + sz) { - memset(out, 0, outlen); + memset(out, 0, outlen); + if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz) memcpy(out, in + offs, MIN(sz, outlen)); - } } static inline int