On 2022-08-18 14:44, Andrew Lunn wrote:

quoted

+static int dsa_inband_rcv_ll(struct sk_buff *skb, struct net_device *dev)
+{
+	int source_device, source_port;
+	struct dsa_switch *ds;
+	u8 *dsa_header;
+	int rcv_seqno;
+	int ret = 0;
+
+	if (!dev || !dev->dsa_ptr)
+		return 0;
+
+	ds = dev->dsa_ptr->ds;
+
+	dsa_header = skb->data - 2;
+
+	source_device = dsa_header[0] & 0x1f;
+	source_port = (dsa_header[1] >> 3) & 0x1f;
+	ds = dsa_switch_find(ds->dst->index, source_device);

You should never trust anything you receive from the network. Always
validate it. ds could be a NULL pointer here, if source_device is
bad. source_port could also be invalid. Hum, source port is not
actually used?

Agree, will fix. I think source_port is a remnant from an earlier
version, I will fix it. 

We send RMU frames with a specific destination MAC address. Can we
validate the destination address for frames we receive.

Yes, I'll add that.
 

quoted

+
+	/* Get rcv seqno */
+	rcv_seqno = dsa_header[3];
+
+	skb_pull(skb, DSA_HLEN);
+
+	if (ds->ops && ds->ops->inband_receive(ds, skb, rcv_seqno))
+		netdev_err(dev, "DSA inband: error decoding packet");

rate limit this print, so as to avoid the possibility of a DoS.

     Andrew

Ofc, will fix. Thanks.