On Mon, Jun 07, 2021 at 03:39:00PM +0800, Yang Yanchao wrote: > For CVE-2021-3542: What does that mean? We don't know what cve numbers refer to as there is no way to really track and update the information with them. Please spell out the issue please. > > 1???read_pos will be added four times in the patch, > so use "read_pos + 4 < length" and write_pos as well what is "???" here? > > 2. The last four bits of c->operand are used for CRC, > so "sizeof (C - > operand) - 4" is used > > 3. "read_pos+=2" is added after the end of read_pos, so add value (read_pos >= length) > > 4. In order to avoid memcpy crossing the boundary, es_ info_ length > length - read_ pos > > 5. When the date_length is a specific input of a construction,it will cause memcpy > to exceed the boundary, "(MSG - > MSG [3] & 0x7F) + date_ length) > (sizeof(msg->msg) - 4)" I do not understand, this is saying what you did, not _why_ you did it. can you please rework this to make it more obvious what you are doing? And shouldn't this be more than one patch? A series of patches, each fixing one thing? And no need to put security@xxxxxxxxxx on this now that you have sent it to a public mailing list. thanks, greg k-h
