lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8775808f-5a21-af7a-4e32-126d231dd681@gmail.com>
Date:   Fri, 30 Sep 2016 19:53:00 +0100
From:   Malcolm Priestley <tvboxspy@...il.com>
To:     Dan Carpenter <dan.carpenter@...cle.com>,
        Martin Alonso <martin.alonso@...o.com>
Cc:     pasteka@...si.at, devel@...verdev.osuosl.org,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        forest@...ttletooquiet.net, joe@...ches.com
Subject: Re: [PATCH 2/2] staging: vt6656: Make 'rx_rate' u8 instead of u8 *

On 28/09/16 08:40, Dan Carpenter wrote:
> On Tue, Sep 27, 2016 at 02:52:49PM -0300, Martin Alonso wrote:
>> Change the type and uses of rx_rate.
>>
>> Signed-off-by: Martin Alonso <martin.alonso@...o.com>
>> ---
>>  drivers/staging/vt6656/dpc.c | 9 +++++----
>>  1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/staging/vt6656/dpc.c b/drivers/staging/vt6656/dpc.c
>> index 655f000..782b7d7 100644
>> --- a/drivers/staging/vt6656/dpc.c
>> +++ b/drivers/staging/vt6656/dpc.c
>> @@ -46,7 +46,8 @@ int vnt_rx_data(struct vnt_private *priv, struct vnt_rcb *ptr_rcb,
>>  	__le64 *tsf_time;
>>  	u32 frame_size;
>>  	int ii, r;
>> -	u8 *rx_rate, *sq, *sq_3;
>> +	u8 rx_rate;
>> +	u8 *sq, *sq_3;
>>  	u32 wbk_status;
>>  	u8 *skb_data;
>>  	u16 *pay_load_len;
>> @@ -75,7 +76,7 @@ int vnt_rx_data(struct vnt_private *priv, struct vnt_rcb *ptr_rcb,
>>
>>  	skb_data = (u8 *)skb->data;
>>
>> -	rx_rate = skb_data + 5;
>> +	rx_rate = *(skb_data + 5);
>
> It occurs to me that we don't check that skb->len is large enough here.
> We just assume it has at least 5 bytes.
>
> TODO: vt6656: verify skb->len before using it.

skb->len is always set to the tail room then trimmed by this function.

Regards

Malcolm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ