Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp914659imu;
        Tue, 11 Dec 2018 09:29:08 -0800 (PST)
X-Google-Smtp-Source: AFSGD/W0GdHTFqcVcAv0IXxaxn7SDiPWE10uoGDyAYEEDBZlKMi54gInEbM+MeLshjyfSB1nTNpJ
X-Received: by 2002:a62:5e41:: with SMTP id s62mr16928209pfb.232.1544549348914;
        Tue, 11 Dec 2018 09:29:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544549348; cv=none;
        d=google.com; s=arc-20160816;
        b=yLRMvNLBnPhJADiL4qVDC/mK0s15l70AM8v5E5O5p5Z4/bK6L80UZI/f4pNaXKIJhV
         i/bPcAW6Y81Jr1aU++pyj6b7c3l/ag2gyu6BhTbTt7sysNDJWSr3Zktm4bTKT7C65y1+
         1oP9RJy85If4KbyPivOSAGl/9UKFNh7wbKGHrV8mD9387ddQjaOOINpecJYoIr0w6BgU
         J9ZU472zZnz5YEIvgBsGPJ4OdS4bIkMKM3I5PIlLPl6ZhM9vpG7WicIm83jSqmivkFiw
         QoeqcADrgl4nPmGhwvgijXPhiT3PcLURhdCjA/bA9pNghkFBy9U5BSyPUazN8iI4Tutc
         e0PQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=yoaN8Y+Eu1T7LptkPRHLCJC61d2gygAwEAcsSxhpB68=;
        b=K6Dq350gamnP3TUd83it/a9spN392UR776A1dcZAybuKRWNZzrW7MLcVspASGMoNHQ
         vJV4VGEq7IAuBmB4t3l1FIXcoD28fIlmII8RIaH5lj/YmvCLOK5BZQLIWbEoakyWAYM0
         N+IwHErtGKjjSQZ8MIPfP4H5jzytfGm9n7EpJ122ByVtf6JSPTsEicWMcaEmDoMscz1K
         IcqT4tpcPQN8kuHqOcrIM88miECXjKHee9+peCKhw46xfOKazTfNzfKvMeTtXHvYyysV
         vuOxOMeuQqtYHLWVKYx1yaVTmOfUe5ctFqjjKHp4bUPlaGrVwzXfZXLjO4RpX4Ktq23d
         Kl2Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mojatatu-com.20150623.gappssmtp.com header.s=20150623 header.b="UxvUYo/1";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o184si11765701pgo.591.2018.12.11.09.28.52;
        Tue, 11 Dec 2018 09:29:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mojatatu-com.20150623.gappssmtp.com header.s=20150623 header.b="UxvUYo/1";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726862AbeLKPXz (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Tue, 11 Dec 2018 10:23:55 -0500
Received: from mail-it1-f195.google.com ([209.85.166.195]:34569 "EHLO
        mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726811AbeLKPXx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Dec 2018 10:23:53 -0500
Received: by mail-it1-f195.google.com with SMTP id x124so11105938itd.1
        for <linux-kernel@vger.kernel.org>; Tue, 11 Dec 2018 07:23:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mojatatu-com.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=yoaN8Y+Eu1T7LptkPRHLCJC61d2gygAwEAcsSxhpB68=;
        b=UxvUYo/1vxrt2tHkpQXCRI313zVmwCycaYHNmRQLb33etQ5jy86KoxvwXiF8Y4sP1V
         pdmKPNvo/SM1Yb26n+uceBYgOTRyQG4gZ6A1jbcpk7/JWoQ1CY0m0St0shUXUdbvmqRl
         qsgp7BErDQ4l01Bcl7ExkoFg+dE0uVcw+GxYlXlIA0KeSpnbjmlLqT5PyDHko87TbK15
         +x6sxYEh2LvpI+w2MuymA5xRsfm3TQDzmHlyyX4TBFRGsvN7Bu6SggR9PtEW/arYBDXg
         30IGW2bVDvHQLM97Aw04d+eYkQdC83qZ6zeAKl28sdP+nW8khc1v2NWDY5/etr3IxhvS
         4V8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=yoaN8Y+Eu1T7LptkPRHLCJC61d2gygAwEAcsSxhpB68=;
        b=o5zpzFlgd4X9AoNHR807MLQTXVBeFr51iiIsZQfwTB3rGGd6ZUT0GshhU8JtlrubJ+
         OtwJiglLDFsezkEHYYJ0EeSyX8QN6/83BPtGDMuMNlk1+OKLe83F9OMaRA7NZlxTKEkf
         VPn+ECtVUAsE5UX2nafZ1JMWaAvWm4R/U+aR1XfZmtHGUxaE4OIZZ2Y1uvtPJE5wwgVP
         86CR85S2vFdqg2Tevy9pkO685SfCMM8P85ffcUsBTZRzxMN0H+HXfwCpvmHQzzHXgw2M
         r9kbgtVuNt4Y3fUqVGiMBAoZfs66HJJmzHl8IXhAmtLIoTaQsuW/5AFXMqJ8Td32vLlp
         C04A==
X-Gm-Message-State: AA+aEWZs2A9Bbq1rLVlDgA14IPUOKwjQ4HM4+I7iY13vfStEnYTygl2e
        Wa6Aeumnd/vCboDDj0rmgaSVPg==
X-Received: by 2002:a24:128a:: with SMTP id 132mr2516456itp.80.1544541831805;
        Tue, 11 Dec 2018 07:23:51 -0800 (PST)
Received: from x220t ([64.26.149.125])
        by smtp.gmail.com with ESMTPSA id m81sm1349534itb.43.2018.12.11.07.23.50
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 11 Dec 2018 07:23:50 -0800 (PST)
Date:   Tue, 11 Dec 2018 10:23:45 -0500
From:   Alexander Aring <aring@mojatatu.com>
To:     Stefan Schmidt <stefan@datenfreihafen.org>
Cc:     David Miller <davem@davemloft.net>, yuehaibing@huawei.com,
        h.morris@cascoda.com, alex.aring@gmail.com,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        linux-wpan@vger.kernel.org
Subject: Re: [PATCH net-next] ieee802154: ca8210: fix possible u8 overflow in
 ca8210_rx_done
Message-ID: <20181211152345.gdlu6rnzng3kddgo@x220t>
References: <20181211031339.21048-1-yuehaibing@huawei.com>
 <20181210.220107.751606140724107779.davem@davemloft.net>
 <87dbac94-8b2e-8cef-5166-8c130529ceb9@datenfreihafen.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <87dbac94-8b2e-8cef-5166-8c130529ceb9@datenfreihafen.org>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Stefan,

On Tue, Dec 11, 2018 at 09:26:37AM +0100, Stefan Schmidt wrote:
> Hello Dave.
> 
> On 11.12.18 07:01, David Miller wrote:
> > From: YueHaibing <yuehaibing@huawei.com>
> > Date: Tue, 11 Dec 2018 11:13:39 +0800
> > 
> >> gcc warning this:
> >>
> >> drivers/net/ieee802154/ca8210.c:730:10: warning:
> >>  comparison is always false due to limited range of data type [-Wtype-limits]
> >>
> >> 'len' is u8 type, we get it from buf[1] adding 2, which can overflow.
> >> This patch change the type of 'len' to unsigned int to avoid this,also fix
> >> the gcc warning.
> >>
> >> Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
> >> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> > 
> > WPAN maintainers, I am assuming that as maintainers you will be
> > picking this up and sending it to me.
> 
> That's correct. On driver patches I always wait 2 days or so to give the
> driver maintainer a chance to reply before I go ahead and apply it.
> 
> I will take this one directly now and do some smoke testing. It will
> come together with another fix as pull request to you.
>

If this "len" is related to the frame (error message says packet) length when
"rx_done()" what the function name tells me, I think what the drivers
is looking for is:

ieee802154_is_valid_psdu_len() plus maybe before calculation of the length
depends what else the transceiver put as payload.

side note:

All drivers need to check if the length is valid as this is transmitted
in the PHY header and even not portected by CRC which is only for the
MAC payload. I had some ugly bufferoverflows expierence with some
at86rf2xx while my microwave was on.

- Alex