git: 5ed36e2e1729 - main - umb: avoid buffer overflow in umb_in_len2mask()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 29 May 2025 13:09:51 UTC
The branch main has been updated by khorben:
URL: https://cgit.FreeBSD.org/src/commit/?id=5ed36e2e1729d6a49a65366c03fc15515967ae67
commit 5ed36e2e1729d6a49a65366c03fc15515967ae67
Author: Pierre Pronchery <khorben@FreeBSD.org>
AuthorDate: 2025-05-26 23:18:53 +0000
Commit: Pierre Pronchery <khorben@FreeBSD.org>
CommitDate: 2025-05-29 13:07:52 +0000
umb: avoid buffer overflow in umb_in_len2mask()
len comes from ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION message
from the USB device, and should not be trusted, as it could be any
uint32_t value. Without this extra check, a potential buffer overflow
could subsequently occur in umb_in_len2mask().
Fix from Gerhard Roth, after coordination upstream with OpenBSD.
PR: 284904
Reported by: Robert Morris <rtm@lcs.mit.edu>
Approved by: philip (mentor)
Sponsored by: The FreeBSD Foundation
---
sys/dev/usb/net/if_umb.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c
index 9b2b504cfa6b..50f481973be0 100644
--- a/sys/dev/usb/net/if_umb.c
+++ b/sys/dev/usb/net/if_umb.c
@@ -1753,7 +1753,8 @@ umb_add_inet_config(struct umb_softc *sc, struct in_addr ip, u_int prefixlen,
sin = (struct sockaddr_in *)&ifra.ifra_mask;
sin->sin_family = AF_INET;
sin->sin_len = sizeof (*sin);
- umb_in_len2mask(&sin->sin_addr, prefixlen);
+ umb_in_len2mask(&sin->sin_addr,
+ MIN(prefixlen, sizeof (struct in_addr) * 8));
mtx_unlock(&sc->sc_mutex);
CURVNET_SET_QUIET(if_getvnet(ifp));