| Message ID | 161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk |
|---|---|
| State | New |
| Headers | show |
| Series | [net] rxrpc: Fix handling of an unsupported token type in rxrpc_read() | expand |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Tue, 12 Jan 2021 15:23:51 +0000 you wrote: > Clang static analysis reports the following: > > net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined > toksize = toksizes[tok++]; > ^ ~~~~~~~~~~~~~~~ > > rxrpc_read() contains two consecutive loops. The first loop calculates the > token sizes and stores the results in toksizes[] and the second one uses > the array. When there is an error in identifying the token in the first > loop, the token is skipped, no change is made to the toksizes[] array. > When the same error happens in the second loop, the token is not skipped. > This will cause the toksizes[] array to be out of step and will overrun > past the calculated sizes. > > [...] Here is the summary with links: - [net] rxrpc: Fix handling of an unsupported token type in rxrpc_read() https://git.kernel.org/netdev/net/c/d52e419ac8b5 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index 9631aa8543b5..8d2073e0e3da 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -598,7 +598,7 @@ static long rxrpc_read(const struct key *key, default: /* we have a ticket we can't encode */ pr_err("Unsupported key token type (%u)\n", token->security_index); - continue; + return -ENOPKG; } _debug("token[%u]: toksize=%u", ntoks, toksize); @@ -674,7 +674,9 @@ static long rxrpc_read(const struct key *key, break; default: - break; + pr_err("Unsupported key token type (%u)\n", + token->security_index); + return -ENOPKG; } ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==,
Clang static analysis reports the following: net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined toksize = toksizes[tok++]; ^ ~~~~~~~~~~~~~~~ rxrpc_read() contains two consecutive loops. The first loop calculates the token sizes and stores the results in toksizes[] and the second one uses the array. When there is an error in identifying the token in the first loop, the token is skipped, no change is made to the toksizes[] array. When the same error happens in the second loop, the token is not skipped. This will cause the toksizes[] array to be out of step and will overrun past the calculated sizes. Fix this by making both loops log a message and return an error in this case. This should only happen if a new token type is incompletely implemented, so it should normally be impossible to trigger this. Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()") Reported-by: Tom Rix <trix@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Tom Rix <trix@redhat.com> --- net/rxrpc/key.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)