Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4603635ybv; Mon, 10 Feb 2020 23:29:39 -0800 (PST) X-Google-Smtp-Source: APXvYqxfvL1DiRnKS7J+vInlXn38WVZ/HiqZLBSjvH4b7LA3Fsi9l18oiKNR468KBJ7ohslspE5y X-Received: by 2002:aca:b60a:: with SMTP id g10mr1958956oif.102.1581406179393; Mon, 10 Feb 2020 23:29:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581406179; cv=none; d=google.com; s=arc-20160816; b=RcqtKbh64M3nHt6pRLceLmzRcLHsQr3GNn4RzFJfIChlA/9H+MG76u5yxtLwaqcq8B 9ZScXB6csEgEW0GdBG122Y1Vt0XskILGNyH775l0e5ZGS8IFYSD5ZaNyXJBPzfQXhKlQ zMWTK29vTvHl8pUJu3MdQnKv3I4sGE4ZjbpqTjh8ECpYFjejbFjjzifc5LaifmnZeD6y 3Vsr1D6HWrFkKsCTZ27WVgJ0PEnicd1wwIKqRuy92WXkK6MKR/NWJoU6DDYgPCad2Ghq JmWhk1Ui6J+ZAsAYIzfWlPo+0k8enzi6mINOFf3X4bMnlFvS4NkeVtbsOYyQvlj+WEJC FKmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=NbA8oo1HzNLa8qApBQR+oHUukViasGb/g+VlKH7qwSI=; b=STR4A/rTcH0+BQEDm/IERvm6JyW+1pDFqeFyU6QAYuBMFEX2/mGMWoBCeIPoxyfJVZ Lhiq9nbioTHwpj4WbIJbCLchHUXw1aB3nkK6dssKpQIT9q8yQ0itckJyFNxj3D1YutWa Q/Z3y0Rgp8pJpC2hsVZ1IGNMBOswXnXM46j8ZD9bM8hg0PXROxFsWr20dVpnGt+mF9Ri naiypxUkLbS4t60budYNOiDydWyz8R61llGndQ/jlbJQ7JkX4Y8me7ZbuW/88VaWek+B ldyv0SLUUKJJSnMNT/KSrDUMdKzSoANf4ovvYOgJqXRgH1EKA/s+0tqB4nOeLHVvH26H Mn/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=iqYcWfeY; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v141si1358276oif.161.2020.02.10.23.29.14; Mon, 10 Feb 2020 23:29:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=iqYcWfeY; spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727826AbgBKGvS (ORCPT + 99 others); Tue, 11 Feb 2020 01:51:18 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:35542 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727697AbgBKGvS (ORCPT ); Tue, 11 Feb 2020 01:51:18 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 01B6h9Yn146256; Tue, 11 Feb 2020 06:51:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2020-01-29; bh=NbA8oo1HzNLa8qApBQR+oHUukViasGb/g+VlKH7qwSI=; b=iqYcWfeYiCmRYv5CJ6R3VSjCDsAjmmsx9y/q1KE4+5QOaxQ9spRS6RRT2GR3+1SLGEJC SxGOMvr4ACuKwZY1ZPUtSjJ/stblMFZkz2tqaSDHklwmqfPQUeJERRMCI1b3B7CBKHJB RF1ZO48vkZuSlGtpyib5qOILIhMPE5kIn/TeYrZK0+Ey5ZYrce0pyH1Wy6p3vdYe+3Cc Bt74LkZmyARgrYyd3J8xRkJ0f/bEjQmv2SyUeabumgPjejkDVhnZPhPYAGvvbx2zHaLe QMDAWY1YSolcTSxY3i4d+x+HBircGstepqpC+GFvEcW+SEPKfV4RthDeKp9zoMCgRK+g 9w== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2120.oracle.com with ESMTP id 2y2p3s95aq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 11 Feb 2020 06:51:09 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 01B6kagh085237; Tue, 11 Feb 2020 06:51:09 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2y26q0q30b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 11 Feb 2020 06:51:09 +0000 Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 01B6p8mX003743; Tue, 11 Feb 2020 06:51:08 GMT Received: from kadam (/129.205.23.165) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 10 Feb 2020 22:51:07 -0800 Date: Tue, 11 Feb 2020 09:51:01 +0300 From: Dan Carpenter To: Ajay.Kathat@microchip.com Cc: linux-wireless@vger.kernel.org, devel@driverdev.osuosl.org, gregkh@linuxfoundation.org, johannes@sipsolutions.net, Adham.Abozaeid@microchip.com Subject: Re: [PATCH 3/3] staging: wilc1000: refactor p2p action frames handling API's Message-ID: <20200211065101.GC1778@kadam> References: <20200211000652.4781-1-ajay.kathat@microchip.com> <20200211000652.4781-3-ajay.kathat@microchip.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200211000652.4781-3-ajay.kathat@microchip.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9527 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 spamscore=0 mlxscore=0 adultscore=0 suspectscore=1 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2002110048 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9527 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 mlxscore=0 malwarescore=0 suspectscore=1 mlxlogscore=999 priorityscore=1501 clxscore=1015 impostorscore=0 lowpriorityscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2001150001 definitions=main-2002110048 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Mon, Feb 10, 2020 at 06:36:01PM +0000, Ajay.Kathat@microchip.com wrote: > + if (sta_ch == WILC_INVALID_CHANNEL) > + return; > > while (index < len) { This range checking was there in the original code, but it's not correct. index and len are in terms of bytes so we know that we can read one byte from &buf[index] but we are reading a wilc_attr_entry struct which is larger than a type. The struct is actually flexibly sized so this should be something like: while (index + sizeof(struct wilc_attr_entry) <= len) { e = (struct wilc_attr_entry *)&buf[index]; if (index + sizeof(struct wilc_attr_entry) + le16_to_cpu(e->attr_len) > len) break; > - if (buf[index] == CHANLIST_ATTR_ID) > - channel_list_attr_index = index; > - else if (buf[index] == OPERCHAN_ATTR_ID) > - op_channel_attr_index = index; > - index += buf[index + 1] + 3; > + e = (struct wilc_attr_entry *)&buf[index]; > + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST) > + ch_list_idx = index; > + else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL) > + op_ch_idx = index; > + if (ch_list_idx && op_ch_idx) > + break; > + index += le16_to_cpu(e->attr_len) + sizeof(*e); > } regards, dan carpenter