mirror of
https://github.com/opnsense/src.git
synced 2026-06-21 22:49:34 -04:00
152bb8e302
umb_getinfobuf() is called with offs and size taken from messages sent by the USB device. The sanity check is not sufficient, due to a possible integer wrap. This can allow a broken or malicious USB device, or possibly the network operator, to cause a buffer overflow. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284906 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation |
||
|---|---|---|
| .. | ||
| controller | ||
| gadget | ||
| input | ||
| misc | ||
| net | ||
| quirk | ||
| serial | ||
| storage | ||
| template | ||
| video | ||
| wlan | ||
| ufm_ioctl.h | ||
| uftdiio.h | ||
| uled_ioctl.h | ||
| usb.h | ||
| usb_bus.h | ||
| usb_busdma.c | ||
| usb_busdma.h | ||
| usb_cdc.h | ||
| usb_controller.h | ||
| usb_core.c | ||
| usb_core.h | ||
| usb_debug.c | ||
| usb_debug.h | ||
| usb_dev.c | ||
| usb_dev.h | ||
| usb_device.c | ||
| usb_device.h | ||
| usb_dynamic.c | ||
| usb_dynamic.h | ||
| usb_endian.h | ||
| usb_error.c | ||
| usb_fdt_support.c | ||
| usb_fdt_support.h | ||
| usb_freebsd.h | ||
| usb_freebsd_loader.h | ||
| usb_generic.c | ||
| usb_generic.h | ||
| usb_handle_request.c | ||
| usb_hid.c | ||
| usb_hub.c | ||
| usb_hub.h | ||
| usb_hub_acpi.c | ||
| usb_hub_private.h | ||
| usb_if.m | ||
| usb_ioctl.h | ||
| usb_lookup.c | ||
| usb_mbuf.c | ||
| usb_mbuf.h | ||
| usb_msctest.c | ||
| usb_msctest.h | ||
| usb_parse.c | ||
| usb_pci.h | ||
| usb_pf.c | ||
| usb_pf.h | ||
| usb_process.c | ||
| usb_process.h | ||
| usb_request.c | ||
| usb_request.h | ||
| usb_transfer.c | ||
| usb_transfer.h | ||
| usb_util.c | ||
| usb_util.h | ||
| usbdevs | ||
| usbdi.h | ||
| usbdi_util.h | ||
| usbhid.h | ||