From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.yaina.de (yaina.de [95.216.117.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8EC0B3314C5; Wed, 8 Apr 2026 20:59:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.216.117.176 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775681958; cv=none; b=F9gIeOj88+FiYKwiI0iWJzEu7RRpbA3PSlEKpTZE8IvglITzG/2NyEHSQa5jQzy28IIhBdeT1RC+oMbMccPv7VGgrmiMWp5/eBNPtI9YiMl9AHR7cZS73xwJVB0KB9Zoub6YcwhNthIOjTDt09zddNIZP9I4fwmR3Fld901awJI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775681958; c=relaxed/simple; bh=oGn7Kg1BTlvOaR2h07xr9FmAxNwd6XMBe9l3iunfQfw=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=rbdWE8/NJ0r/1gS56GPH9bx/KF+2VTTCsV1b87dUMNDNQK2vyyGEJ2hAK9Xct7CGoD+7fxNA+Dn7mMNCisU+vV3E2cWYsN6II9RrheM0FoCRGu2Ow49YJ/uF2EZQqYHIMt1sao7q9JqZf2XGX5k8EfKsrFN8wW2G8nh7Bozy678= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=yaina.de; spf=pass smtp.mailfrom=yaina.de; dkim=pass (1024-bit key) header.d=yaina.de header.i=@yaina.de header.b=wVIkMRK2; arc=none smtp.client-ip=95.216.117.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=yaina.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=yaina.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=yaina.de header.i=@yaina.de header.b="wVIkMRK2" Received: from lycaon.yaina.de (ip1f118239.dynamic.kabel-deutschland.de [31.17.130.57]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "lykos.yaina.de", Issuer "CAcert Class 3 Root" (not verified)) by mail.yaina.de (Postfix) with ESMTPSA id 3EF1C7CDEEC7; Wed, 08 Apr 2026 22:51:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yaina.de; s=mail; t=1775681466; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=lVzdl6wAk2jhIhIak1BJv8WP6VL8FEB4gR39X/vx0Ws=; b=wVIkMRK2VRy1EHYUzXyx/orrB2v37wCr62ea61LBtDR+gFni68Hnj763SBZhmfzoFCZx8M xGxyS6NCijuxoYOLtARCMrlIwO0GTb6jPjit9dnLYYWzaF/g/heG6YlartTJptRTuPwupN +S069Ec9JZmYRrJ7fr0mEikCX0xcoaE= Received: by lycaon.yaina.de (Postfix, from userid 500) id 81CC4300E40; Wed, 08 Apr 2026 22:51:05 +0200 (CEST) Date: Wed, 8 Apr 2026 22:51:05 +0200 From: Joerg Reuter To: Mashiro Chen Cc: netdev@vger.kernel.org, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-hams@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH net 2/2] net: hamradio: scc: validate bufsize in SIOCSCCSMEM ioctl Message-ID: References: <20260408172358.281186-1-mashiro.chen@mailbox.org> <20260408172358.281186-3-mashiro.chen@mailbox.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260408172358.281186-3-mashiro.chen@mailbox.org> Hi, Am Thu, Apr 09, 2026 at 01:23:58AM +0800 schrieb Mashiro Chen: > If a privileged user (CAP_SYS_RAWIO) sets bufsize to 0, the receive > interrupt handler later calls dev_alloc_skb(0) and immediately writes > a KISS type byte via skb_put_u8() into a zero-capacity socket buffer, > corrupting the adjacent skb_shared_info region. Oops, that's unfortunate. > The scc.c comment already states the buffer must not exceed 4096 bytes, > but this limit is never enforced. That was a limit 30 years ago when we couldn't have skbs larger than one page. I'm not sure if anyone is actually using AX.25 jumbograms with a Zilog SCC controller, that doesn't make much sense to me. But maybe someone out there is indeed running IP over huge AX.25 UI frames, thus I'm not a fan of enforcing an upper limit either. It's hamradio, you're supposed to tinker. I'm okay with a mininum size of 16, of course. 73, Joerg -- Joerg Reuter http://yaina.de/jreuter And I make my way to where the warm scent of soil fills the evening air. Everything is waiting quietly out there.... (Anne Clark)