| Message ID | 20240827020803.957250-3-matt@codeconstruct.com.au (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: mctp-serial: Fix for missing tx escapes | expand |
On Tue, Aug 27, 2024 at 10:07:59AM +0800, Matt Johnston wrote: > 0x7d and 0x7e bytes are meant to be escaped in the data portion of > frames, but this didn't occur since next_chunk_len() had an off-by-one > error. That also resulted in the final byte of a payload being written > as a separate tty write op. > > The chunk prior to an escaped byte would be one byte short, and the > next call would never test the txpos+1 case, which is where the escaped > byte was located. That meant it never hit the escaping case in > mctp_serial_tx_work(). > > Example Input: 01 00 08 c8 7e 80 02 > > Previous incorrect chunks from next_chunk_len(): > > 01 00 08 > c8 7e 80 > 02 > > With this fix: > > 01 00 08 c8 > 7e > 80 02 > > Cc: stable@vger.kernel.org > Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") > Signed-off-by: Matt Johnston <matt@codeconstruct.com.au> Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com> > --- > drivers/net/mctp/mctp-serial.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c > index d7db11355909..82890e983847 100644 > --- a/drivers/net/mctp/mctp-serial.c > +++ b/drivers/net/mctp/mctp-serial.c > @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev) > * will be those non-escaped bytes, and does not include the escaped > * byte. > */ > - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) { > - if (needs_escape(dev->txbuf[dev->txpos + i + 1])) > + for (i = 1; i + dev->txpos < dev->txlen; i++) { > + if (needs_escape(dev->txbuf[dev->txpos + i])) > break; > } > >
diff --git a/drivers/net/mctp/mctp-serial.c b/drivers/net/mctp/mctp-serial.c index d7db11355909..82890e983847 100644 --- a/drivers/net/mctp/mctp-serial.c +++ b/drivers/net/mctp/mctp-serial.c @@ -91,8 +91,8 @@ static int next_chunk_len(struct mctp_serial *dev) * will be those non-escaped bytes, and does not include the escaped * byte. */ - for (i = 1; i + dev->txpos + 1 < dev->txlen; i++) { - if (needs_escape(dev->txbuf[dev->txpos + i + 1])) + for (i = 1; i + dev->txpos < dev->txlen; i++) { + if (needs_escape(dev->txbuf[dev->txpos + i])) break; }
0x7d and 0x7e bytes are meant to be escaped in the data portion of frames, but this didn't occur since next_chunk_len() had an off-by-one error. That also resulted in the final byte of a payload being written as a separate tty write op. The chunk prior to an escaped byte would be one byte short, and the next call would never test the txpos+1 case, which is where the escaped byte was located. That meant it never hit the escaping case in mctp_serial_tx_work(). Example Input: 01 00 08 c8 7e 80 02 Previous incorrect chunks from next_chunk_len(): 01 00 08 c8 7e 80 02 With this fix: 01 00 08 c8 7e 80 02 Cc: stable@vger.kernel.org Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") Signed-off-by: Matt Johnston <matt@codeconstruct.com.au> --- drivers/net/mctp/mctp-serial.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)