From: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx> Date: Mon, 26 Aug 2019 21:02:09 +0200 > We 'allocate' 'count' bytes here. In fact, 'dev_alloc_skb' already add some > extra space for padding, so a bit more is allocated. > > However, we use 1 byte for the KISS command, then copy 'count' bytes, so > count+1 bytes. > > Explicitly allocate and use 1 more byte to be safe. > > Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx> > --- > This patch should be safe, be however may no be the correct way to fix the > "buffer overflow". Maybe, the allocated size is correct and we should have: > memcpy(ptr, sp->cooked_buf + 1, count - 1); > or > memcpy(ptr, sp->cooked_buf + 1, count - 1sp->rcount); > > I've not dig deep enough to understand the link betwwen 'rcount' and > how 'cooked_buf' is used. I'm trying to figure out how this code works too. Why are they skipping over the first byte? Is that to avoid the command byte? Yes, then using sp->rcount as the memcpy length makes sense. Why is the caller subtracting 2 from the RX buffer count when calculating sp->rcount? This makes the situation even more confusing.