Page MenuHomeFreeBSD

uath: fix varible types, add checks for descriptor / command header structure fields.
ClosedPublic

Authored by avos on Jul 30 2017, 10:49 PM.

Details

Summary
  • Use 'uint32_t' to save be32toh(9) result.
  • Drop too short payload (to prevent 'chunklen' underflow).
  • Recheck Rx descriptor fields to prevent buffer over-read.
Test Plan

Untested.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

sys/dev/usb/wlan/if_uath.c
2224 ↗(On Diff #31356)

If hdr->len comes from HW, please verify that value is valid!

2230 ↗(On Diff #31356)

Missing upper range check?

2499 ↗(On Diff #31356)

chunklen should also be checked against actlen ???

2572 ↗(On Diff #31356)

Are the offsets and payloads within the USB buffer and below actlen ?

2601 ↗(On Diff #31356)

Missing upper and lower checks for desc->framelen !

avos retitled this revision from uath: fix type, add sanity check to uath: fix varible types, add checks for descriptor / command header structure fields..
avos edited the summary of this revision. (Show Details)

Address some possible buffer over-reads.

avos marked 3 inline comments as done.Aug 13 2017, 7:16 PM
avos added inline comments.
sys/dev/usb/wlan/if_uath.c
2224 ↗(On Diff #31356)

Done in uath_intr_rx_callback()

avos marked an inline comment as done.
  • Add more 'framelen' variable checks.
  • Check hdr->len before using it to calculate dlen.
avos marked 3 inline comments as done.Aug 13 2017, 7:53 PM

I'll have a closer look at this tomorrow. Thank you!

sys/dev/usb/wlan/if_uath.c
2244 ↗(On Diff #32014)

Can you invert this code? It makes it more clear:

!(a && b) == ((!a) || (!b))

if (hdr->len < sizeof(*hdr) || hdr->len >= UATH_MAX_CMDSZ)

2362 ↗(On Diff #32014)

if (hdr->len > (uint32_t)actlen)

2652 ↗(On Diff #32014)

Add this check first? Or is it redundant?
actlen < sizeof(struct uath_chunk) ||

cast: actlen - sizeof(struct uath_chunk) to uint32_t:

framelen > (uint32_t)(actlen - sizeof(struct uath_chunk))

avos added inline comments.
sys/dev/usb/wlan/if_uath.c
2652 ↗(On Diff #32014)

Already checked at the top of the function ('if (actlen < (int)UATH_MIN_RXBUFSZ)')

This revision is now accepted and ready to land.Aug 20 2017, 7:09 PM
This revision was automatically updated to reflect the committed changes.