On Thursday 2 April 2020 15:13:39 CEST Dan Carpenter wrote:
> On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote:
[...]
> This is on the TX side so it's probably okay, but one problem I have
> noticed is that we do this on the RX side as well with checking that
>
> if (skb->len < sizeof(struct hif_msg))
> return -EINVAL;
>
> So we could be reading beyond the end of the skb. If we got really
> unlucky it could lead to an Oops.
>
> regards,
> dan carpenter
>
>
Hello Dan,
The function rx_helper() in bh.c already do some sanity checks received data:
60 WARN(read_len < 4, "corrupted read");
[...]
92 } else {
93 computed_len = round_up(hif->len, 2);
94 }
95 if (computed_len != read_len) {
96 dev_err(wdev->dev, "inconsistent message length: %zu != %zu\n",
97 computed_len, read_len);
98 print_hex_dump(KERN_INFO, "hif: ", DUMP_PREFIX_OFFSET, 16, 1,
99 hif, read_len, true);
100 goto err;
101 }
However, I can improve this code:
- "4" should be replaced by "sizeof(struct hif_msg)" for readability
- hif->len is tested through computed_len, but I am not sure to be able
to prove that it covers all cases
- rx_helper() should recover the error if read_len < 4
I add that on my TODO list.
--
Jérôme Pouiller
