Received: by 2002:a05:6359:6284:b0:131:369:b2a3 with SMTP id se4csp5374414rwb; Wed, 9 Aug 2023 03:14:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH28kDTy2fBIKKzAhuvOBhuxTacAyNqynwzsMwazwfeWrx/zA91j3ybIZYZCmwxOF5E3aJT X-Received: by 2002:a17:906:2d4:b0:977:95f4:5cca with SMTP id 20-20020a17090602d400b0097795f45ccamr1741226ejk.54.1691576079803; Wed, 09 Aug 2023 03:14:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691576079; cv=none; d=google.com; s=arc-20160816; b=vk+SyRXGBF8Clc70cMdi+PSzK/rjL96Sdw1+3ZpqydNKiMpVUK1LJZ4cdkneCQvfQZ i+qf04E5ZPmgj9GqSVrOMy80U3R2/dkinD5MhhaUk36F1dOVygjFNQz5cG9LY3QARutJ BDpDfEOeSeSLCHJoSgDwp7ZAE3DCpW06CRPfEozynjcZ0Nl7VIp5v7cKtnut871sckWF EAgICtE7/LSuDIJ4yVgGZe2GLPxUpDLBCIDp/CZgWsrYc7SzTHbPBQF/BIALSElaJIXP V6WaKH+fD4hqLEwgzG5mtB8mSf8A53V1o0ZQFDRgZT4ZnsS35aKHeSQNjisSZ6g0CF+B itrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=M8qQL2hcl+E5dKE+in4KliIbDhYQxIJvQJB9jr51AC4=; fh=rWNkhyFVc7zctsM9M8jEVR4FX9tBHNEn9tW03bOb25I=; b=mET0mJWA4Pl2t2PJFEBYXo7fAYOPCH4dgqDZbyMoSWS+v7s0fTHUgWrhSHRUeUBJrq cYTtPhnk6w2R02ZbgfTL73Uo6OwzCOkQGcSMiV/ELxF8UVBlCElBtqOa886nP0PBFQ3x 0/Q1NCVylJ5p6EQZGRqtySNzfLuM+qLasGiEqTHxUq0vxNnCvQ8N9n0rgGGviQYhojxK 3dOAxSdRy0VKbRjPAObYWZLd5c9bgS6YKnWqrZ5BGoE5F55LUiVdKXc6XYk41LWDzzn4 46EiZ6ZhSysAa2oO3087Zb6JDfF4tAuy8PDp837iAoI/dsHY0KCjIDdfazapjunwFTLc RvQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b="V/IdSzFp"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gu16-20020a170906f29000b00988c76f9d4bsi8727949ejb.347.2023.08.09.03.14.20; Wed, 09 Aug 2023 03:14:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex.ru header.s=mail header.b="V/IdSzFp"; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231996AbjHIJfq (ORCPT + 56 others); Wed, 9 Aug 2023 05:35:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42254 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229489AbjHIJfo (ORCPT ); Wed, 9 Aug 2023 05:35:44 -0400 Received: from forward500b.mail.yandex.net (forward500b.mail.yandex.net [178.154.239.144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00A0A1BFF for ; Wed, 9 Aug 2023 02:35:40 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net [IPv6:2a02:6b8:c08:d315:0:640:bb64:0]) by forward500b.mail.yandex.net (Yandex) with ESMTP id 72A6A5F098; Wed, 9 Aug 2023 12:35:38 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id bZVGJ3DWwCg0-fxSsnbFk; Wed, 09 Aug 2023 12:35:38 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1691573738; bh=M8qQL2hcl+E5dKE+in4KliIbDhYQxIJvQJB9jr51AC4=; h=Subject:From:In-Reply-To:Cc:Date:References:To:Message-ID; b=V/IdSzFp5vmxt/mDmtKmoReS/07tSO5VvSQVvvvZpJH2R9TKA1BnD8jvUczedReCW Z9YjjeVR6kibWYkOhreO4Bmdjl5Ldfp5sezXtL5E/wcocfGi5PEuq3epJBX+yRT6qg egtQD75unUD3afXQhgdHc1cuJWkxx65YzbvKDFuA= Authentication-Results: mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <9ad63828-3c85-fcc4-a91d-58e1d16b60b7@yandex.ru> Date: Wed, 9 Aug 2023 12:35:37 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Content-Language: en-US To: Brian Norris Cc: Kalle Valo , linux-wireless@vger.kernel.org, lvc-project@linuxtesting.org References: <20230808084431.43548-1-dmantipov@yandex.ru> From: Dmitry Antipov Subject: Re: [PATCH] wifi: mwifiex: avoid possible NULL skb pointer dereference In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On 8/8/23 23:11, Brian Norris wrote: > This feels like it should be 'rx_dropped', since we're dropping it > before we done any real "RX" (let alone getting to any forward/outbound > operation). I doubt it makes a big difference overall, but it seems like > the right thing to do. This is somewhat confusing for me indeed. In 'mwifiex_uap_queue_bridged_pkt()', both 'rx_dropped' and 'tx_dropped' may be incremented, for a different reasons (unexpected skb layout and error (re)allocating new skb, respectively). And I have some doubts on 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets"). Looking through 'mwifiex_uap_queue_bridged_pkt()' again, it seems that 'return' is missing: if (sizeof(*rx_pkt_hdr) + le16_to_cpu(uap_rx_pd->rx_pkt_offset) > skb->len) { mwifiex_dbg(adapter, ERROR, "wrong rx packet offset: len=%d,rx_pkt_offset=%d\n", skb->len, le16_to_cpu(uap_rx_pd->rx_pkt_offset)); priv->stats.rx_dropped++; dev_kfree_skb_any(skb); /* HERE */ } if ((!memcmp(&rx_pkt_hdr->rfc1042_hdr, bridge_tunnel_header, because 'rx_pkt_hdr' points to 'skb->data' plus some offset (see above), so reading freed memory with 'memcmp()' causes an undefined behavior. And likewise for 'mwifiex_process_rx_packet()' (but not for 'mwifiex_process_uap_rx_packet()' where 'return 0' looks correct). Dmitry