xorl %eax, %eax

Linux Kernel IrDA Sigmatel STIR421X Off-by-One

leave a comment »

This just a cute little rookie mistake which affects Linux kernel up to 2.6.27. It was discovered by Jose-Vicente Gilabert and reported on 10 Januart 2009. The bug can be found under drivers/net/irda/irda-usb.c. The following snippets were taken from 2.6.27. Here we are…

1069 /*
1070  * Function stir421x_patch_device(struct irda_usb_cb *self)
1071  *
1072  * Get a firmware code from userspase using hotplug request_firmware() call
1073  */
1074 static int stir421x_patch_device(struct irda_usb_cb *self)
1075 {
1076        unsigned int i;
1077        int ret;
1078        char stir421x_fw_name[11];
1083        /*
1084         * Known firmware patch file names for STIR421x dongles
1085         * are "42101001.sb" or "42101002.sb"
1086         */
1087        sprintf(stir421x_fw_name, "4210%4X.sb",
1088                self->usbdev->descriptor.bcdDevice);
1089        ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev);
1090        if (ret < 0)
1091                return ret;
1145        release_firmware(fw);
1147        return ret;
1148 }

As you can read at line 1078, the allocated buffer is 11 bytes long. However, a quick look at line 1086 implies 12 bytes because:

4210 = 4 bytes
%4X  = 4 bytes
.sb  = 3 bytes
NULL = 1 byte

Seems like the developer made a completely rookie mistake and forgot that strings are NULL terminated in C! This could lead to information leak if request_firmware() gives some kind of output but I haven’t checked this. Anyway, the patch was of course:

        int ret;
-       char stir421x_fw_name[11];
+       char stir421x_fw_name[12];
        const struct firmware *fw;

I know, nothing important, but it’s still really funny that a Linux kernel developer forgets stringa must be NULL terminated. That’s why I found it cute ;p

Written by xorl

March 11, 2009 at 13:58

Posted in linux, vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s