On Mon, Apr 01, 2019 at 11:03:53AM -0700, Cong Wang wrote:
> Hi,
>
> On Sat, Mar 30, 2019 at 2:23 AM Tomas Bortoli <tomasbortoli@xxxxxxxxx> wrote:
> >
> > Hi Dan,
> >
> > On 3/30/19 8:25 AM, Dan Carpenter wrote:
> > > There is a potential out of bounds if "ev->length" is too high or if the
> > > number of reports are too many.
> > >
> > > Fixes: c215e9397b00 ("Bluetooth: Process extended ADV report event")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > Reviewed-By: Tomas Bortoli <tomasbortoli@xxxxxxxxx>
>
> I sent a patchset to fix all of this kind of OOB:
> https://marc.info/?l=linux-netdev&m=155314874622831&w=2
>
> Unfortunately I get no response...
>
> Does any of you mind to look at them?
>
I don't know the rules... When is it ok say:
if (skb->len < sizeof(*ev))
return;
and when must we say:
if (!pskb_may_pull(skb, sizeof(*ev)))
return;
Btw, get rid of all the likely/unlikely() macros. Then the other style
comment would be don't move the "ev = (void *)skb->data;" assignments
around. It's ok to say:
struct hci_ev_pin_code_req *ev = (void *)skb->data;
struct hci_conn *conn;
if (!pskb_may_pull(skb, sizeof(*ev)))
return;
regards,
dan carpenter
