RE: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()

From: Starke, Daniel
Date: Mon May 09 2022 - 06:55:41 EST

Next message: Toke Høiland-Jørgensen: "Re: 答复: [PATCH bpf-next] samples/bpf: check detach prog exist or not in xdp_fwd"
Previous message: Thomas Gleixner: "Re: [PATCHv3 1/2] cpu/hotplug: Keep cpu hotplug disabled until the rebooting cpu is stable"
In reply to: Jiri Slaby: "Re: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 04. 05. 22, 10:17, D. Starke wrote:
> > From: Daniel Starke <daniel.starke@xxxxxxxxxxx>
> >
> > 'len' is decreased after each octet that has its EA bit set to 0,
> > which means that the value is encoded with additional octets. However,
> > the final octet does not decreases 'len' which results in 'len' being
> > one byte too long. A buffer over-read may occur in
> > tty_insert_flip_string() as it tries to read one byte more than the passed content size of 'data'.
> > Decrease 'len' also for the final octet which has the EA bit set to 1
> > to write the correct number of bytes from the internal receive buffer
> > to the virtual tty.
> >
> > Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push")
>
> That commit barely introduced the problem.

You are right. It was introduced in
commit e1eaea46bb40 ("tty: n_gsm line discipline")

This patch was already included in the tty-linus branch. Shall I resubmit it nevertheless?

Best regards,
Daniel Starke

Next message: Toke Høiland-Jørgensen: "Re: 答复: [PATCH bpf-next] samples/bpf: check detach prog exist or not in xdp_fwd"
Previous message: Thomas Gleixner: "Re: [PATCHv3 1/2] cpu/hotplug: Keep cpu hotplug disabled until the rebooting cpu is stable"
In reply to: Jiri Slaby: "Re: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]