From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755461AbbE2MBD (ORCPT <rfc822;w@1wt.eu>);
	Fri, 29 May 2015 08:01:03 -0400
Received: from aserp1040.oracle.com ([141.146.126.69]:38646 "EHLO
	aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754472AbbE2MA6 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 29 May 2015 08:00:58 -0400
Date: Fri, 29 May 2015 15:00:42 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
        Shigekatsu Tateno <shigekatsu.tateno@atmel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH v3 1/4] ozwpan: Use proper check to prevent heap overflow
Message-ID: <20150529120042.GL28762@mwanda>
References: <1432642669-7289-1-git-send-email-Jason@zx2c4.com>
 <1432897621-4961-1-git-send-email-Jason@zx2c4.com>
 <1432897621-4961-2-git-send-email-Jason@zx2c4.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1432897621-4961-2-git-send-email-Jason@zx2c4.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 29, 2015 at 01:06:58PM +0200, Jason A. Donenfeld wrote:
> --- a/drivers/staging/ozwpan/ozusbsvc1.c
> +++ b/drivers/staging/ozwpan/ozusbsvc1.c
> @@ -390,10 +390,15 @@ void oz_usb_rx(struct oz_pd *pd, struct oz_elt *elt)
>  	case OZ_GET_DESC_RSP: {
>  			struct oz_get_desc_rsp *body =
>  				(struct oz_get_desc_rsp *)usb_hdr;
> -			int data_len = elt->length -
> -					sizeof(struct oz_get_desc_rsp) + 1;
> -			u16 offs = le16_to_cpu(get_unaligned(&body->offset));
> -			u16 total_size =
> +			u16 offs, total_size;
> +			u8 data_len;
> +
> +			if (elt->length < sizeof(struct oz_get_desc_rsp) - 1)
> +				break;
> +			data_len = elt->length -
> +					(sizeof(struct oz_get_desc_rsp) - 1);

Gar...  I'm really sorry.  I wanted to Ack these and be done but why did
the + 1 change to a - 1?  And I had the same question about the other
patch as well.

Sorry for the hassle and thanks for doing this work.

regarsd,
dan carpenter