From: Christophe JAILLET
Date: Mon, 26 Aug 2019 21:02:09 +0200
> We 'allocate' 'count' bytes here. In fact, 'dev_alloc_skb' already add some
> extra space for padding, so a bit more is allocated.
>
> However, we use 1 byte for the KISS command, then copy 'count' bytes, so
> count+1 bytes.
>
> Explicitly allocate and use 1 more byte to be safe.
>
> Signed-off-by: Christophe JAILLET
> ---
> This patch should be safe, be however may no be the correct way to fix the
> "buffer overflow". Maybe, the allocated size is correct and we should have:
>memcpy(ptr, sp->cooked_buf + 1, count - 1);
> or
>memcpy(ptr, sp->cooked_buf + 1, count - 1sp->rcount);
>
> I've not dig deep enough to understand the link betwwen 'rcount' and
> how 'cooked_buf' is used.
I'm trying to figure out how this code works too.
Why are they skipping over the first byte? Is that to avoid the
command byte? Yes, then using sp->rcount as the memcpy length makes
sense.
Why is the caller subtracting 2 from the RX buffer count when
calculating sp->rcount? This makes the situation even more confusing.