mirror of
https://github.com/opnsense/src.git
synced 2026-06-21 22:49:34 -04:00
82c41c9ffc
When processing messages produced by the USB device, umb_decap() trusts ptroff and later dlen and doff with pointer arithmetic, without sufficient sanity checks. The resulting pointer address may be outside of the valid boundary, causing the wrong memory to be copied or a page fault. This fix from Gerhard Roth was obtained after coordination upstream with OpenBSD. It converts the variables to 64-bit integers, which should mitigate the risk of overflows. PR: 284920 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation |
||
|---|---|---|
| .. | ||
| controller | ||
| gadget | ||
| input | ||
| misc | ||
| net | ||
| quirk | ||
| serial | ||
| storage | ||
| template | ||
| video | ||
| wlan | ||
| ufm_ioctl.h | ||
| uftdiio.h | ||
| uled_ioctl.h | ||
| usb.h | ||
| usb_bus.h | ||
| usb_busdma.c | ||
| usb_busdma.h | ||
| usb_cdc.h | ||
| usb_controller.h | ||
| usb_core.c | ||
| usb_core.h | ||
| usb_debug.c | ||
| usb_debug.h | ||
| usb_dev.c | ||
| usb_dev.h | ||
| usb_device.c | ||
| usb_device.h | ||
| usb_dynamic.c | ||
| usb_dynamic.h | ||
| usb_endian.h | ||
| usb_error.c | ||
| usb_fdt_support.c | ||
| usb_fdt_support.h | ||
| usb_freebsd.h | ||
| usb_freebsd_loader.h | ||
| usb_generic.c | ||
| usb_generic.h | ||
| usb_handle_request.c | ||
| usb_hid.c | ||
| usb_hub.c | ||
| usb_hub.h | ||
| usb_hub_acpi.c | ||
| usb_hub_private.h | ||
| usb_if.m | ||
| usb_ioctl.h | ||
| usb_lookup.c | ||
| usb_mbuf.c | ||
| usb_mbuf.h | ||
| usb_msctest.c | ||
| usb_msctest.h | ||
| usb_parse.c | ||
| usb_pci.h | ||
| usb_pf.c | ||
| usb_pf.h | ||
| usb_process.c | ||
| usb_process.h | ||
| usb_request.c | ||
| usb_request.h | ||
| usb_transfer.c | ||
| usb_transfer.h | ||
| usb_util.c | ||
| usb_util.h | ||
| usbdevs | ||
| usbdi.h | ||
| usbdi_util.h | ||
| usbhid.h | ||