git: 152bb8e30204 - main - umb: avoid buffer overflow in umb_getinfobuf()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 29 May 2025 13:09:52 UTC
The branch main has been updated by khorben:
URL: https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5
commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5
Author: Pierre Pronchery <khorben@FreeBSD.org>
AuthorDate: 2025-05-26 23:42:30 +0000
Commit: Pierre Pronchery <khorben@FreeBSD.org>
CommitDate: 2025-05-29 13:07:54 +0000
umb: avoid buffer overflow in umb_getinfobuf()
umb_getinfobuf() is called with offs and size taken from messages sent
by the USB device. The sanity check is not sufficient, due to a possible
integer wrap. This can allow a broken or malicious USB device, or
possibly the network operator, to cause a buffer overflow.
This fix from Gerhard Roth was obtained after coordination upstream with
OpenBSD. It converts the variables to 64-bit integers, which should
mitigate the risk of overflows.
PR: 284906
Reported by: Robert Morris <rtm@lcs.mit.edu>
Approved by: philip (mentor)
Sponsored by: The FreeBSD Foundation
---
sys/dev/usb/net/if_umb.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c
index 50f481973be0..a7d3bb764a2b 100644
--- a/sys/dev/usb/net/if_umb.c
+++ b/sys/dev/usb/net/if_umb.c
@@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz,
{
offs = le32toh(offs);
sz = le32toh(sz);
- if (inlen >= offs + sz) {
- memset(out, 0, outlen);
+ memset(out, 0, outlen);
+ if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz)
memcpy(out, in + offs, MIN(sz, outlen));
- }
}
static inline int