git: 152bb8e30204 - main - umb: avoid buffer overflow in umb_getinfobuf()

From: Pierre Pronchery <khorben_at_FreeBSD.org>
Date: Thu, 29 May 2025 13:09:52 UTC
The branch main has been updated by khorben:

URL: https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5

commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5
Author:     Pierre Pronchery <khorben@FreeBSD.org>
AuthorDate: 2025-05-26 23:42:30 +0000
Commit:     Pierre Pronchery <khorben@FreeBSD.org>
CommitDate: 2025-05-29 13:07:54 +0000

    umb: avoid buffer overflow in umb_getinfobuf()
    
    umb_getinfobuf() is called with offs and size taken from messages sent
    by the USB device. The sanity check is not sufficient, due to a possible
    integer wrap. This can allow a broken or malicious USB device, or
    possibly the network operator, to cause a buffer overflow.
    
    This fix from Gerhard Roth was obtained after coordination upstream with
    OpenBSD. It converts the variables to 64-bit integers, which should
    mitigate the risk of overflows.
    
    PR:             284906
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Approved by:    philip (mentor)
    Sponsored by:   The FreeBSD Foundation
---
 sys/dev/usb/net/if_umb.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c
index 50f481973be0..a7d3bb764a2b 100644
--- a/sys/dev/usb/net/if_umb.c
+++ b/sys/dev/usb/net/if_umb.c
@@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz,
 {
 	offs = le32toh(offs);
 	sz = le32toh(sz);
-	if (inlen >= offs + sz) {
-		memset(out, 0, outlen);
+	memset(out, 0, outlen);
+	if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz)
 		memcpy(out, in + offs, MIN(sz, outlen));
-	}
 }
 
 static inline int