On Tue, Aug 27, 2024 at 10:07:59AM +0800, Matt Johnston wrote:
> 0x7d and 0x7e bytes are meant to be escaped in the data portion of
> frames, but this didn't occur since next_chunk_len() had an off-by-one
> error. That also resulted in the final byte of a payload being written
> as a separate tty write op.
>
> The chunk prior to an escaped byte would be one byte short, and the
> next call would never test the txpos+1 case, which is where the escaped
> byte was located. That meant it never hit the escaping case in
> mctp_serial_tx_work().
>
> Example Input: 01 00 08 c8 7e 80 02
>
> Previous incorrect chunks from next_chunk_len():
>
> 01 00 08
> c8 7e 80
> 02
>
> With this fix:
>
> 01 00 08 c8
> 7e
> 80 02
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding")
> Signed-off-by: Matt Johnston <matt@xxxxxxxxxxxxxxxxxxxx>
Reviewed-by: Larysa Zaremba <larysa.zaremba@xxxxxxxxx>
> ---
> drivers/net/mctp/mctp-serial.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c
> index d7db11355909..82890e983847 100644
> --- a/drivers/net/mctp/mctp-serial.c
> +++ b/drivers/net/mctp/mctp-serial.c
> @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev)
> * will be those non-escaped bytes, and does not include the escaped
> * byte.
> */
> - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) {
> - if (needs_escape(dev->txbuf[dev->txpos + i + 1]))
> + for (i = 1; i + dev->txpos < dev->txlen; i++) {
> + if (needs_escape(dev->txbuf[dev->txpos + i]))
> break;
> }
>
>
