From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alan Cox Subject: Re: [PATCH V4 5/6] net: maclorawan: Implement maclorawan class module Date: Tue, 4 Dec 2018 20:45:08 +0000 Message-ID: <20181204204508.3ebead06@alans-desktop> References: <20181204141341.4353-6-starnight@g.ncu.edu.tw> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, Marcel Holtmann , linux-kernel@vger.kernel.org, "David S . Miller" , Stefan Schmidt , Dollar Chen , Ken Yu , linux-wpan@vger.kernel.org, Andreas =?UTF-8?B?RsOkcmJlcg==?= , linux-arm-kernel@lists.infradead.org To: Jian-Hong Pan Return-path: In-Reply-To: <20181204141341.4353-6-starnight@g.ncu.edu.tw> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=m.gmane.org@lists.infradead.org List-Id: netdev.vger.kernel.org > +void > +lrw_parse_frame(struct lrw_session *ss, struct sk_buff *skb) > +{ > + struct lrw_fhdr *fhdr = &ss->rx_fhdr; > + __le16 *p_fcnt; > + > + pr_debug("%s: %s\n", LORAWAN_MODULE_NAME, __func__); > + > + /* Get message type */ > + fhdr->mtype = skb->data[0]; > + skb_pull(skb, LRW_MHDR_LEN); This does not seem robust. There is no point at which you actually check the message size is valid etc > + fhdr->fopts_len = fhdr->fctrl & 0xF; > + if (fhdr->fopts_len > 0) { > + memcpy(fhdr->fopts, skb->data, fhdr->fopts_len); > + skb_pull(skb, fhdr->fopts_len); > + } In fact you appear to copy random kernel memory into a buffer > + > + /* TODO: Parse frame options */ > + > + /* Remove message integrity code */ > + skb_trim(skb, skb->len - LRW_MIC_LEN); and then try and trim the buffer to a negative size ? Alan