Linux-WPAN Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH wpan] ieee802154: hwsim: fix off-by-one in parse nested
@ 2018-11-29 22:38 Alexander Aring
  2018-11-29 22:40 ` Alexander Aring
  0 siblings, 1 reply; 2+ messages in thread
From: Alexander Aring @ 2018-11-29 22:38 UTC (permalink / raw)
  To: stefan; +Cc: linux-wpan, Alexander Aring

This patch fixes a off-by-one mistake in nla_parse_nested() functions of
mac802154_hwsim driver. I had to enabled stack protector so I was able
to reproduce it.

Reference: https://github.com/linux-wpan/wpan-tools/issues/17

Signed-off-by: Alexander Aring <aring@mojatatu.com>
---
 drivers/net/ieee802154/mac802154_hwsim.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
index bf70ab892e69..fbcbf55ce744 100644
--- a/drivers/net/ieee802154/mac802154_hwsim.c
+++ b/drivers/net/ieee802154/mac802154_hwsim.c
@@ -500,7 +500,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info)
 	    !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
 		return -EINVAL;
 
-	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX + 1,
+	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX,
 			     info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE],
 			     hwsim_edge_policy, NULL))
 		return -EINVAL;
@@ -543,6 +543,7 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
 	struct hwsim_edge_info *einfo;
 	struct hwsim_phy *phy_v0;
 	struct hwsim_edge *e;
+
 	u32 v0, v1;
 	u8 lqi;
 
@@ -550,7 +551,7 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
 	    !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
 		return -EINVAL;
 
-	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX + 1,
+	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX,
 			     info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE],
 			     hwsim_edge_policy, NULL))
 		return -EINVAL;
-- 
2.11.0

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH wpan] ieee802154: hwsim: fix off-by-one in parse nested
  2018-11-29 22:38 [PATCH wpan] ieee802154: hwsim: fix off-by-one in parse nested Alexander Aring
@ 2018-11-29 22:40 ` Alexander Aring
  0 siblings, 0 replies; 2+ messages in thread
From: Alexander Aring @ 2018-11-29 22:40 UTC (permalink / raw)
  To: stefan; +Cc: linux-wpan

On Thu, Nov 29, 2018 at 05:38:37PM -0500, Alexander Aring wrote:
> This patch fixes a off-by-one mistake in nla_parse_nested() functions of
> mac802154_hwsim driver. I had to enabled stack protector so I was able
> to reproduce it.
> 
> Reference: https://github.com/linux-wpan/wpan-tools/issues/17
> 
> Signed-off-by: Alexander Aring <aring@mojatatu.com>
> ---
>  drivers/net/ieee802154/mac802154_hwsim.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ieee802154/mac802154_hwsim.c b/drivers/net/ieee802154/mac802154_hwsim.c
> index bf70ab892e69..fbcbf55ce744 100644
> --- a/drivers/net/ieee802154/mac802154_hwsim.c
> +++ b/drivers/net/ieee802154/mac802154_hwsim.c
> @@ -500,7 +500,7 @@ static int hwsim_del_edge_nl(struct sk_buff *msg, struct genl_info *info)
>  	    !info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE])
>  		return -EINVAL;
>  
> -	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX + 1,
> +	if (nla_parse_nested(edge_attrs, MAC802154_HWSIM_EDGE_ATTR_MAX,
>  			     info->attrs[MAC802154_HWSIM_ATTR_RADIO_EDGE],
>  			     hwsim_edge_policy, NULL))
>  		return -EINVAL;
> @@ -543,6 +543,7 @@ static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
>  	struct hwsim_edge_info *einfo;
>  	struct hwsim_phy *phy_v0;
>  	struct hwsim_edge *e;
> +

grml, I will fix that...

- Alex

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-29 22:38 [PATCH wpan] ieee802154: hwsim: fix off-by-one in parse nested Alexander Aring
2018-11-29 22:40 ` Alexander Aring

Linux-WPAN Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wpan/0 linux-wpan/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wpan linux-wpan/ https://lore.kernel.org/linux-wpan \
		linux-wpan@vger.kernel.org
	public-inbox-index linux-wpan

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wpan


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git