Page MenuHomeFreeBSD
Differential D11786

uath: fix varible types, add checks for descriptor / command header structure fields.
ClosedPublic
Actions

Authored by avos on Jul 30 2017, 10:49 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Nov 15, 7:10 AM
Unknown Object (File)
Wed, Nov 13, 2:23 PM
Unknown Object (File)
Fri, Nov 8, 1:37 AM
Unknown Object (File)
Thu, Oct 31, 3:42 PM
Unknown Object (File)
Wed, Oct 30, 6:17 PM
Unknown Object (File)
Sep 30 2024, 3:54 AM
Unknown Object (File)
Sep 13 2024, 2:59 PM
Unknown Object (File)
Sep 7 2024, 7:57 AM
View All 47 Files
Subscribers
imp

Details

Reviewers
adrian
hselasky
Commits
rS324144: uath(4): fix varible types, add missing checks for descriptor / command
Summary
  • Use 'uint32_t' to save be32toh(9) result.
  • Drop too short payload (to prevent 'chunklen' underflow).
  • Recheck Rx descriptor fields to prevent buffer over-read.
Test Plan

Untested.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

avos created this revision.Jul 30 2017, 10:49 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 30 2017, 10:49 PM
hselasky added inline comments.Jul 31 2017, 7:07 AM
sys/dev/usb/wlan/if_uath.c
2224 ↗(On Diff #31356)

If hdr->len comes from HW, please verify that value is valid!

2230 ↗(On Diff #31356)

Missing upper range check?

2499 ↗(On Diff #31356)

chunklen should also be checked against actlen ???

2572 ↗(On Diff #31356)

Are the offsets and payloads within the USB buffer and below actlen ?

2601 ↗(On Diff #31356)

Missing upper and lower checks for desc->framelen !

avos updated this revision to Diff 31683.Aug 7 2017, 12:04 AM
avos retitled this revision from uath: fix type, add sanity check to uath: fix varible types, add checks for descriptor / command header structure fields..
avos edited the summary of this revision. (Show Details)

Address some possible buffer over-reads.

avos marked 3 inline comments as done.Aug 13 2017, 7:16 PM
avos added inline comments.
sys/dev/usb/wlan/if_uath.c
2224 ↗(On Diff #31356)

Done in uath_intr_rx_callback()

avos updated this revision to Diff 32014.Aug 13 2017, 7:51 PM
avos marked an inline comment as done.
  • Add more 'framelen' variable checks.
  • Check hdr->len before using it to calculate dlen.
avos marked 3 inline comments as done.Aug 13 2017, 7:53 PM
hselasky edited edge metadata.Aug 13 2017, 8:07 PM

I'll have a closer look at this tomorrow. Thank you!

hselasky added inline comments.Aug 14 2017, 12:29 PM
sys/dev/usb/wlan/if_uath.c
2244 ↗(On Diff #32014)

Can you invert this code? It makes it more clear:

!(a && b) == ((!a) || (!b))

if (hdr->len < sizeof(*hdr) || hdr->len >= UATH_MAX_CMDSZ)

2362 ↗(On Diff #32014)

if (hdr->len > (uint32_t)actlen)

2652 ↗(On Diff #32014)

Add this check first? Or is it redundant?
actlen < sizeof(struct uath_chunk) ||

cast: actlen - sizeof(struct uath_chunk) to uint32_t:

framelen > (uint32_t)(actlen - sizeof(struct uath_chunk))

avos updated this revision to Diff 32264.Aug 20 2017, 10:38 AM
avos marked 3 inline comments as done.Aug 20 2017, 10:43 AM
avos added inline comments.
sys/dev/usb/wlan/if_uath.c
2652 ↗(On Diff #32014)

Already checked at the top of the function ('if (actlen < (int)UATH_MIN_RXBUFSZ)')

avos marked 2 inline comments as done.Aug 20 2017, 10:44 AM
hselasky accepted this revision.Aug 20 2017, 7:09 PM

Looks good.

This revision is now accepted and ready to land.Aug 20 2017, 7:09 PM
Closed by commit rS324144: uath(4): fix varible types, add missing checks for descriptor / command (authored by avos). · Explain WhySep 30 2017, 9:01 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
dev/
usb/
wlan/
122 lines

Diff 33594

View Options

head/sys/dev/usb/wlan/if_uath.c

Loading...