Hello Shuah Khan,
The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:
drivers/usb/usbip/stub_rx.c:346 get_pipe()
warn: impossible condition '(pdu->u.cmd_submit.transfer_buffer_length >
((~0 >> 1))) => (s32min-s32max > s32max)'
drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
warn: always true condition '(pdu->u.cmd_submit.transfer_buffer_length <=
((~0 >> 1))) => (s32min-s32max <= s32max)'
drivers/usb/usbip/stub_rx.c
343 epd = &ep->desc;
344
345 /* validate transfer_buffer_length */
346 if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
^^^^^^^^^^^^^^^^^^^^^^
This is an int.
347 dev_err(&sdev->udev->dev,
348 "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length
%d\n",
349 pdu->u.cmd_submit.transfer_buffer_length);
350 return -1;
351 }
[ snip ]
479 if (!priv->urb) {
480 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC);
481 return;
482 }
483
484 /* allocate urb transfer buffer, if needed */
485 if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
486 pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
^^^^^^^^^^^^^^^^^^^^^^
487 priv->urb->transfer_buffer =
488
kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
489 GFP_KERNEL);
490 if (!priv->urb->transfer_buffer) {
491 usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC);
492 return;
493 }
494 }
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html