> + th.td_id = ntohs(*(u16 *) (blob)); > + th.td_flags = ntohs(*(u16 *) (blob + 2)); > + th.td_lolen = ntohl(*(u32 *) (blob + 8)); Use cpu_to and _to_cpu functions for here so it is clear the intended direction and endianness. > + > +static inline int aa_inbounds(struct aa_ext *e, size_t size) > +{ > + return (e->pos + size <= e->end); > +} Can e->pos + size ever overflow. If so this check isn't safe. > + * aa_unpack_profile - unpack a serialized profile > + * @e: serialized data extent information > + * @error: error code returned if unpacking fails > + */ > +static struct aa_profile *aa_unpack_profile(struct aa_ext *e) > +{ > + struct aa_profile *profile = NULL; > + > + /* get optional subprofiles */ > + if (aa_is_nameX(e, AA_LIST, "hats")) { > + while (!aa_is_nameX(e, AA_LISTEND, NULL)) { > + struct aa_profile *subprofile; > + subprofile = aa_unpack_profile(e); > + if (IS_ERR(subprofile)) { What bounds recursion here on invalid input ? - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html