Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755053AbbEOSE4 (ORCPT <rfc822;w@1wt.eu>);
	Fri, 15 May 2015 14:04:56 -0400
Received: from frisell.zx2c4.com ([192.95.5.64]:54935 "EHLO frisell.zx2c4.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754711AbbEOSEx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 15 May 2015 14:04:53 -0400
MIME-Version: 1.0
In-Reply-To: <CAHmME9oA3AxBvAYyu38o4Teo3QBjvJZLzmiAv7RyThGbtv6zkw@mail.gmail.com>
References: <1431542014-3239-1-git-send-email-Jason@zx2c4.com>
	<1431542014-3239-2-git-send-email-Jason@zx2c4.com>
	<063D6719AE5E284EB5DD2968C1650D6D1CB36893@AcuExch.aculab.com>
	<CAHmME9oA3AxBvAYyu38o4Teo3QBjvJZLzmiAv7RyThGbtv6zkw@mail.gmail.com>
Date: Fri, 15 May 2015 20:04:47 +0200
Message-ID: <CAHmME9rCLwVyR6Pe1htrNxsFyQ6Y75E9OiUfnziYg1_cmX+3Lg@mail.gmail.com>
Subject: Re: [PATCH 1/4] ozwpan: Use proper check to prevent heap overflow
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: David Laight <David.Laight@aculab.com>
Cc: linux-kernel@vger.kernel.org, shigekatsu.tateno@atmel.com,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        devel@driverdev.osuosl.org
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1245
Lines: 27

On May 15, 2015 4:10 PM, "David Laight" <David.Laight@aculab.com> wrote:
> Why not just check the length. eg:
>                         unsigned int data_len = elt->length;
>                         if (data_len < sizeof(struct oz_get_desc_rsp) + 1)
>                                 break;

Sure.

> >                       u16 offs = le16_to_cpu(get_unaligned(&body->offset));
> >                       u16 total_size =
> >                               le16_to_cpu(get_unaligned(&body->total_size));
>
> Don't put variable definitions after code.
>
> You don't really want to do arithmetic on local variables that are
> smaller than a machine word (eg u8 and u16), doing so can require
> the compiler generate a lot more code.

This is code is just part of the patch context. Care to submit a
follow up patch fixing this so the maintainer can incorporate it? FYI,
this is a common occurrence throughout the driver, and a patch set
should probably be posted that systematically fixes this problem.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/