On Mon, Sep 08, 2014 at 01:32:33PM +0200, Johan Hovold wrote:

On Fri, Sep 05, 2014 at 06:17:57PM +0300, Octavian Purdila wrote:

quoted

+static int _dln2_transfer(struct dln2_dev *dln2, u16 handle, u16 cmd,
+			  void *obuf, int obuf_len, void *ibuf, int *ibuf_len)
+{

<snip>

quoted

+	/* if we got here we know that the response header has been checked */
+	rsp = rxc->urb->transfer_buffer;
+	result = le16_to_cpu(rsp->result);

Yes, but you haven't verified that rsp->hdr.size > 0, so you may still
be reading stale data.

I meant that you haven't verified that the payload size > 1 (the header
size is included in rsp->hdr.size and result is two byte wide).

quoted

+
+	if (result) {
+		dev_dbg(dev, "%d received response with error %d\n",
+			handle, result);
+		ret = -EREMOTEIO;
+		goto out_free_rx_slot;
+	}
+
+	if (!ibuf) {
+		ret = 0;
+		goto out_free_rx_slot;
+	}
+
+	if (*ibuf_len > rxc->urb->actual_length - sizeof(*rsp))
+		*ibuf_len = rxc->urb->actual_length - sizeof(*rsp);

And then you get an underflow here, although that doesn't seem to cause
any troubles in this case.

Unless ibuf_len is -1... 

But why isn't ibuf_len unsigned?

quoted

+
+	memcpy(ibuf, rsp + 1, *ibuf_len);
+
+out_free_rx_slot:
+	free_rx_slot(dln2, rxs, rx_slot);
+
+	return ret;
+}

Johan