On Sun, Sep 12, 2021 at 6:14 AM Salvatore Bonaccorso <carnil@xxxxxxxxxx> wrote:
>
> On Wed, Sep 01, 2021 at 01:40:26PM +0300, Dan Carpenter wrote:
> > On Mon, Aug 16, 2021 at 10:27:22AM +0300, Dan Carpenter wrote:
> > > The bounds checking in avc_ca_pmt() is not strict enough. It should
> > > be checking "read_pos + 4" because it's reading 5 bytes. If the
> > > "es_info_length" is non-zero then it reads a 6th byte so there needs to
> > > be an additional check for that.
> > >
> > > I also added checks for the "write_pos". I don't think these are
> > > required because "read_pos" and "write_pos" are tied together so
> > > checking one ought to be enough.
They may be in sync at a fixed offset, but the buffer length of the
read ("int length") is not in sync with the buffer length for the
write ("sizeof(c->operand)").
So I do think the write pos limit checking is actually necessary and needed.
> > > RESEND: this patch got lost somehow.
> >
> > What the heck? Someone on patchwork just marked this patch as obsolete
> > again!!!
Can we please make sure patchwork has some logging so that that kind
of thing shows _who_ did this?
> Someone knows what is going on here, i.e. what is the problem?
Dan, can you just send that fix to me directly, with the fixed commit
message (see above), and we can close this.
That still leaves the "who closes things on patchwork" question, but
that's something I can't do anything about.
Linus
