| Message ID | 1317921370-25771-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Thu, Oct 06, 2011 at 06:16:10PM +0100, Andy Whitcroft wrote: > When attempting to name a device we request various strings from the > device. A malicious device could return very long strings triggering a > buffer overflow. > > CVE-2009-4067 > BugLink: http://bugs.launchpad.net/bugs/869195 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > drivers/usb/misc/auerswald.c | 14 ++++++++++++-- > 1 files changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c > index df7e1ec..5111b80 100644 > --- a/drivers/usb/misc/auerswald.c > +++ b/drivers/usb/misc/auerswald.c > @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf, > /* Try to get a suitable textual description of the device */ > /* Device name:*/ > ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); > - if (ret >= 0) { > + /* > + * If we were successful, and there is room remaining for a serial > + * number then look it up and append it. Assume the serial number > + * is at least 4 digits. > + */ > + if (ret >= 0 && ret < AUSI_DLEN-1-6-4) { > u += ret; > /* Append Serial Number */ > memcpy(&cp->dev_desc[u], ",Ser# ", 6); > u += 6; > ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); > - if (ret >= 0) { > + /* > + * If we were successful and there is room remaining for > + * the subscriber prefix then look it up and append it. > + * Assume the subscriber number is at least 1 digit. > + */ > + if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) { > u += ret; > /* Append subscriber number */ > memcpy(&cp->dev_desc[u], ", ", 2); Looks to do what it says, and should fix the potential for buffer overflow. Acked-by: Seth Forshee <seth.forshee@canonical.com>
On 06.10.2011 19:16, Andy Whitcroft wrote: > When attempting to name a device we request various strings from the > device. A malicious device could return very long strings triggering a > buffer overflow. > > CVE-2009-4067 > BugLink: http://bugs.launchpad.net/bugs/869195 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > drivers/usb/misc/auerswald.c | 14 ++++++++++++-- > 1 files changed, 12 insertions(+), 2 deletions(-) > > diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c > index df7e1ec..5111b80 100644 > --- a/drivers/usb/misc/auerswald.c > +++ b/drivers/usb/misc/auerswald.c > @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf, > /* Try to get a suitable textual description of the device */ > /* Device name:*/ > ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); > - if (ret >= 0) { > + /* > + * If we were successful, and there is room remaining for a serial > + * number then look it up and append it. Assume the serial number > + * is at least 4 digits. > + */ > + if (ret >= 0 && ret < AUSI_DLEN-1-6-4) { > u += ret; > /* Append Serial Number */ > memcpy(&cp->dev_desc[u], ",Ser# ", 6); > u += 6; > ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); > - if (ret >= 0) { > + /* > + * If we were successful and there is room remaining for > + * the subscriber prefix then look it up and append it. > + * Assume the subscriber number is at least 1 digit. > + */ > + if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) { > u += ret; > /* Append subscriber number */ > memcpy(&cp->dev_desc[u], ", ", 2);
diff --git a/drivers/usb/misc/auerswald.c b/drivers/usb/misc/auerswald.c index df7e1ec..5111b80 100644 --- a/drivers/usb/misc/auerswald.c +++ b/drivers/usb/misc/auerswald.c @@ -1945,13 +1945,23 @@ static int auerswald_probe (struct usb_interface *intf, /* Try to get a suitable textual description of the device */ /* Device name:*/ ret = usb_string( cp->usbdev, AUSI_DEVICE, cp->dev_desc, AUSI_DLEN-1); - if (ret >= 0) { + /* + * If we were successful, and there is room remaining for a serial + * number then look it up and append it. Assume the serial number + * is at least 4 digits. + */ + if (ret >= 0 && ret < AUSI_DLEN-1-6-4) { u += ret; /* Append Serial Number */ memcpy(&cp->dev_desc[u], ",Ser# ", 6); u += 6; ret = usb_string( cp->usbdev, AUSI_SERIALNR, &cp->dev_desc[u], AUSI_DLEN-u-1); - if (ret >= 0) { + /* + * If we were successful and there is room remaining for + * the subscriber prefix then look it up and append it. + * Assume the subscriber number is at least 1 digit. + */ + if (ret >= 0 && ret < AUSI_DLEN-u-1-2-1) { u += ret; /* Append subscriber number */ memcpy(&cp->dev_desc[u], ", ", 2);
When attempting to name a device we request various strings from the device. A malicious device could return very long strings triggering a buffer overflow. CVE-2009-4067 BugLink: http://bugs.launchpad.net/bugs/869195 Signed-off-by: Andy Whitcroft <apw@canonical.com> --- drivers/usb/misc/auerswald.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-)