Date: Thu, 29 May 2025 13:09:52 GMT From: Pierre Pronchery <khorben@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 152bb8e30204 - main - umb: avoid buffer overflow in umb_getinfobuf() Message-ID: <202505291309.54TD9qi7061631@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by khorben: URL: https://cgit.FreeBSD.org/src/commit/?id=152bb8e3020451963a3f2a8adf05f00a5222a4e5 commit 152bb8e3020451963a3f2a8adf05f00a5222a4e5 Author: Pierre Pronchery <khorben@FreeBSD.org> AuthorDate: 2025-05-26 23:42:30 +0000 Commit: Pierre Pronchery <khorben@FreeBSD.org> CommitDate: 2025-05-29 13:07:54 +0000 umb: avoid buffer overflow in umb_getinfobuf() umb_getinfobuf() is called with offs and size taken from messages sent by the USB device. The sanity check is not sufficient, due to a possible integer wrap. This can allow a broken or malicious USB device, or possibly the network operator, to cause a buffer overflow. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284906 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation --- sys/dev/usb/net/if_umb.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sys/dev/usb/net/if_umb.c b/sys/dev/usb/net/if_umb.c index 50f481973be0..a7d3bb764a2b 100644 --- a/sys/dev/usb/net/if_umb.c +++ b/sys/dev/usb/net/if_umb.c @@ -1377,10 +1377,9 @@ umb_getinfobuf(char *in, int inlen, uint32_t offs, uint32_t sz, { offs = le32toh(offs); sz = le32toh(sz); - if (inlen >= offs + sz) { - memset(out, 0, outlen); + memset(out, 0, outlen); + if ((uint64_t)inlen >= (uint64_t)offs + (uint64_t)sz) memcpy(out, in + offs, MIN(sz, outlen)); - } } static inline int
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202505291309.54TD9qi7061631>