Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp1236147pxb; Tue, 1 Feb 2022 23:28:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJzyHpkQQ8uYJUGDN4nuUHR4U8p5ULzmIcGK27Gb7S9sAFX+5y6qURPfp8ppXLbi7nZ9XtVi X-Received: by 2002:a17:90b:3003:: with SMTP id hg3mr6721351pjb.53.1643786937056; Tue, 01 Feb 2022 23:28:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643786937; cv=none; d=google.com; s=arc-20160816; b=qngVERsIhx1yVXLyO0isnrR4L0Akz/6zeLenRsb2T7IBE/yxIHnxEBXczl3TQD8Abp LirlnYqk0zq+nxhp1Q+hudmgX9hj6aLCAjoc+o5A7BSspFofNHX+CWU/67qPw8J7ZBW9 3fkJkaHFhFZ7uGB1u0Em531EPjhdZre7xSEUu6mLHEbXN/qH7O0OTbypH+pvPBZiSzZL EqK71PdIp04v/rXjc0jcXWImNGOCt3UWgGW1KYKgqaFiBLuKap2yg19mxBmRVnetBdKP Ywqvvcc32KQiXfa1sIre7Qh0iHOjxvVz25aaoPUMTu73+s49/f1c0fAV1Na3VaiNOAwy AW4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=pkH+RswlSIyZFjtv0Mro5CDt277HOkp7LMJ90iXn1wU=; b=lk7BurApNmFdLbz8zWwKzOwVDeZLd/JKhdDSYKhyBUEeh3iz0JbmAF/xaBB613fBm4 yspHq54dFJnYNzZ+twqxNvvUsI5cm/RV/YG/ntzaZfBoJvdcSLOKm1IX9+sNIabQwMOq fTE+64wOKxVKPfP1pITZDFY+3y7NUGojCkiMnse/HmJjXuNUa+zZtbJ/Zp41ikUW3SGS +1RL3CCmfpl3MZTdHwtE+XA0iAiVbRZPU70flqZvLJ94fjgU8vS7i78ZdC6eNyAitU14 xK93EgXjzs5F4LS41tnOZ5OzQH292fbczEyn+wKWiZrKbVlxGETyJoETVObcFZFbMs7u UGfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=d2XckV5L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j191si18508606pge.528.2022.02.01.23.28.45; Tue, 01 Feb 2022 23:28:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=d2XckV5L; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238932AbiBANw7 (ORCPT + 99 others); Tue, 1 Feb 2022 08:52:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230073AbiBANw6 (ORCPT ); Tue, 1 Feb 2022 08:52:58 -0500 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2CC6C061714; Tue, 1 Feb 2022 05:52:58 -0800 (PST) Received: by mail-qt1-x82e.google.com with SMTP id y8so14410624qtn.8; Tue, 01 Feb 2022 05:52:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=pkH+RswlSIyZFjtv0Mro5CDt277HOkp7LMJ90iXn1wU=; b=d2XckV5LjzZSDAsLvl9yGRmggAR0CRNlsdqRbYzPDMVgaHv7N63o147fv0hE2qh4/s zw/TI5e0gVjazGEckbyyin8CLhEQejbBfO9OD0RK/G9Aa4Q0+DTYI4O/TMWJkv/yHH4v XbN+gzGb/fEVjvekjKITtTKpojKkq2DEGkb6BOMrJieDhoE4UyKGDKwJITJiU+mVaGCI AJoifbOsH1WBhIGjLC8yJTu1Wi6Tg4SQ4zAfH0uSNHs9yQnNmBYWMe2Duqh2TcfzQqGI 732lqYSLTsA36kQ2Fmre3LUjzYYCjpAbdAjQSKRIPWEwrSEn2slKYPWBJAA0w4G1KjNy mTMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=pkH+RswlSIyZFjtv0Mro5CDt277HOkp7LMJ90iXn1wU=; b=cyeXgTVSltJoIHZqxCticAzW6gYjsAljk9UCb+jKVb+WQr0d4918zn8tBXvh2KVT1n gxrliFh5ieLH7rg+3VKCyEXXRukNgFDgY51gRnZHSwtgHvrJrxZbHiZM9sLDEXVRNiIT Fy0T/VJf/zhXHJMxn4+ZyKaZ9M7g/jet8QNJhFtnvq4ryohU8X2DvGXCVFGbbrTOBSH9 fEfssexgdmqe5qWBTQ/DDMTl4sIek8JkoHikcqGhH/P0ZbFnWfF62AAbDLSPhG7d9YJf HeE7KviAQklLXZIJtIsBdrbqtENSgmF7r0Z3xc3cuAhzJMrvqUkSY9rm33mLniTUJ9QW XdoA== X-Gm-Message-State: AOAM531Vx+eDonakcQGjBhekWmTza6GvglIYtfeXpcKXb1AxVrXxjE/L gk75O1zLdATaBotbF3wMtV4= X-Received: by 2002:a05:622a:156:: with SMTP id v22mr18593903qtw.596.1643723577901; Tue, 01 Feb 2022 05:52:57 -0800 (PST) Received: from a-10-27-1-133.dynapool.vpn.nyu.edu (vpnrasa-wwh-pat-01.natpool.nyu.edu. [216.165.95.84]) by smtp.gmail.com with ESMTPSA id a141sm10300049qkc.73.2022.02.01.05.52.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 01 Feb 2022 05:52:57 -0800 (PST) Date: Tue, 1 Feb 2022 08:52:54 -0500 From: Zekun Shen To: Kalle Valo Cc: Amitkumar Karwar , Siva Rebbagondla , "David S. Miller" , Jakub Kicinski , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, brendandg@nyu.edu Subject: Re: [PATCH] rsi: fix oob in rsi_prepare_skb Message-ID: References: <87y22udbyg.fsf@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87y22udbyg.fsf@kernel.org> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The maximum length allowed (and without overflow) depends on the queueno in the switch statement. I don't know the exact format of the inputs, but there could be a universal and stricter length restriction in the protocol It is possible to fix the problem at the previous check you propose, we just need to add input parsing for length and queueno there. The code here seems prone to overflow, since function arguments only include a single buffer pointer without a remaining byte count. Moreover, some of the lengths are dynamic and encoded in the buffer. For this reason, I think it's easier and more maintainable to add the check after existing parsing code and before read/write the buffer.