Re: [PATCH] rsi: fix oob in rsi_prepare_skb

From: Zekun Shen
Date: Tue Feb 01 2022 - 08:53:01 EST

Next message: Javier Martinez Canillas: "Re: [PATCH 1/4] drm: Add I2C connector type"
Previous message: Miquel Raynal: "Re: [PATCH] mtd: nand: raw: qcom_nandc: Don't clear_bam_transaction on READID"
In reply to: Kalle Valo: "Re: [PATCH] rsi: fix oob in rsi_prepare_skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The maximum length allowed (and without overflow) depends on
the queueno in the switch statement. I don't know the exact format
of the inputs, but there could be a universal and stricter length
restriction in the protocol

It is possible to fix the problem at the previous check you propose,
we just need to add input parsing for length and queueno there.

The code here seems prone to overflow, since function arguments
only include a single buffer pointer without a remaining byte count.
Moreover, some of the lengths are dynamic and encoded in the
buffer.

For this reason, I think it's easier and more maintainable to add the
check after existing parsing code and before read/write the buffer.

Next message: Javier Martinez Canillas: "Re: [PATCH 1/4] drm: Add I2C connector type"
Previous message: Miquel Raynal: "Re: [PATCH] mtd: nand: raw: qcom_nandc: Don't clear_bam_transaction on READID"
In reply to: Kalle Valo: "Re: [PATCH] rsi: fix oob in rsi_prepare_skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]