[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20181211152345.gdlu6rnzng3kddgo@x220t>
Date: Tue, 11 Dec 2018 10:23:45 -0500
From: Alexander Aring <aring@...atatu.com>
To: Stefan Schmidt <stefan@...enfreihafen.org>
Cc: David Miller <davem@...emloft.net>, yuehaibing@...wei.com,
h.morris@...coda.com, alex.aring@...il.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-wpan@...r.kernel.org
Subject: Re: [PATCH net-next] ieee802154: ca8210: fix possible u8 overflow in
ca8210_rx_done
Hi Stefan,
On Tue, Dec 11, 2018 at 09:26:37AM +0100, Stefan Schmidt wrote:
> Hello Dave.
>
> On 11.12.18 07:01, David Miller wrote:
> > From: YueHaibing <yuehaibing@...wei.com>
> > Date: Tue, 11 Dec 2018 11:13:39 +0800
> >
> >> gcc warning this:
> >>
> >> drivers/net/ieee802154/ca8210.c:730:10: warning:
> >> comparison is always false due to limited range of data type [-Wtype-limits]
> >>
> >> 'len' is u8 type, we get it from buf[1] adding 2, which can overflow.
> >> This patch change the type of 'len' to unsigned int to avoid this,also fix
> >> the gcc warning.
> >>
> >> Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
> >> Signed-off-by: YueHaibing <yuehaibing@...wei.com>
> >
> > WPAN maintainers, I am assuming that as maintainers you will be
> > picking this up and sending it to me.
>
> That's correct. On driver patches I always wait 2 days or so to give the
> driver maintainer a chance to reply before I go ahead and apply it.
>
> I will take this one directly now and do some smoke testing. It will
> come together with another fix as pull request to you.
>
If this "len" is related to the frame (error message says packet) length when
"rx_done()" what the function name tells me, I think what the drivers
is looking for is:
ieee802154_is_valid_psdu_len() plus maybe before calculation of the length
depends what else the transceiver put as payload.
side note:
All drivers need to check if the length is valid as this is transmitted
in the PHY header and even not portected by CRC which is only for the
MAC payload. I had some ugly bufferoverflows expierence with some
at86rf2xx while my microwave was on.
- Alex
Powered by blists - more mailing lists