From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28E78C43331 for ; Sat, 7 Sep 2019 13:48:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0E49D21907 for ; Sat, 7 Sep 2019 13:48:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2405996AbfIGNsN (ORCPT ); Sat, 7 Sep 2019 09:48:13 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:45008 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733096AbfIGNsN (ORCPT ); Sat, 7 Sep 2019 09:48:13 -0400 Received: from localhost (unknown [88.214.184.0]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 927A51525C2D4; Sat, 7 Sep 2019 06:48:11 -0700 (PDT) Date: Sat, 07 Sep 2019 15:48:09 +0200 (CEST) Message-Id: <20190907.154809.649105225947712090.davem@davemloft.net> To: christophe.jaillet@wanadoo.fr Cc: ajk@comnets.uni-bremen.de, linux-hams@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [PATCH] net/hamradio/6pack: Fix the size of a sk_buff used in 'sp_bump()' From: David Miller In-Reply-To: <20190826190209.16795-1-christophe.jaillet@wanadoo.fr> References: <20190826190209.16795-1-christophe.jaillet@wanadoo.fr> X-Mailer: Mew version 6.8 on Emacs 26.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sat, 07 Sep 2019 06:48:12 -0700 (PDT) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Christophe JAILLET Date: Mon, 26 Aug 2019 21:02:09 +0200 > We 'allocate' 'count' bytes here. In fact, 'dev_alloc_skb' already add some > extra space for padding, so a bit more is allocated. > > However, we use 1 byte for the KISS command, then copy 'count' bytes, so > count+1 bytes. > > Explicitly allocate and use 1 more byte to be safe. > > Signed-off-by: Christophe JAILLET I applied your patch as-is, as it is correct and doesn't change the contents of the data put into the SKB at all. ->rcount is the cooked count minus two, but then we copy effectively cooked count minus one bytes from one byte past the beginning of the cooked buffer and so all the accesses are in range on the input buffer side.