Date: Thu, 29 May 2025 13:09:51 GMT From: Pierre Pronchery <khorben@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 5ed36e2e1729 - main - umb: avoid buffer overflow in umb_in_len2mask() Message-ID: <202505291309.54TD9pqe061592@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by khorben: URL: https://cgit.FreeBSD.org/src/commit/?id=5ed36e2e1729d6a49a65366c03fc15515967ae67 commit 5ed36e2e1729d6a49a65366c03fc15515967ae67 Author: Pierre Pronchery <khorben@FreeBSD.org> AuthorDate: 2025-05-26 23:18:53 +0000 Commit: Pierre Pronchery <khorben@FreeBSD.org> CommitDate: 2025-05-29 13:07:52 +0000 umb: avoid buffer overflow in umb_in_len2mask() len comes from ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION message from the USB device, and should not be trusted, as it could be any uint32_t value. Without this extra check, a potential buffer overflow could subsequently occur in umb_in_len2mask(). Fix from Gerhard Roth, after coordination upstream with OpenBSD. PR: 284904 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation --- sys/dev/usb/net/if_umb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c index 9b2b504cfa6b..50f481973be0 100644 --- a/sys/dev/usb/net/if_umb.c +++ b/sys/dev/usb/net/if_umb.c @@ -1753,7 +1753,8 @@ umb_add_inet_config(struct umb_softc *sc, struct in_addr ip, u_int prefixlen, sin = (struct sockaddr_in *)&ifra.ifra_mask; sin->sin_family = AF_INET; sin->sin_len = sizeof (*sin); - umb_in_len2mask(&sin->sin_addr, prefixlen); + umb_in_len2mask(&sin->sin_addr, + MIN(prefixlen, sizeof (struct in_addr) * 8)); mtx_unlock(&sc->sc_mutex); CURVNET_SET_QUIET(if_getvnet(ifp));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202505291309.54TD9pqe061592>