* [PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate
@ 2017-01-13 13:55 Florian Westphal
2017-01-16 13:24 ` Steffen Klassert
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2017-01-13 13:55 UTC (permalink / raw)
To: netdev; +Cc: dan.carpenter, Florian Westphal
Dan reports following smatch warning:
net/xfrm/xfrm_state.c:659
error: we previously assumed 'afinfo' could be null (see line 651)
649 struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
651 if (afinfo)
...
658 }
659 afinfo->init_temprop(x, tmpl, daddr, saddr);
I am resonably sure afinfo cannot be NULL here.
xfrm_state4.c and state6.c are both part of ipv4/ipv6 (depends on
CONFIG_XFRM, a boolean) but even if ipv6 is a module state6.c can't
be removed (ipv6 lacks module_exit so it cannot be removed).
The only callers for xfrm6_fini that leads to state backend unregister
are error unwinding paths that can be called during ipv6 init function.
So after ipv6 module is loaded successfully the state backend cannot go
away anymore.
The family value from policy lookup path is taken from dst_entry, so
that should always be AF_INET(6).
However, since this silences the warning and avoids readers of this
code wondering about possible null deref it seems preferrable to
be defensive and just add the old check back.
Fixes: 711059b9752ad0 ("xfrm: add and use xfrm_state_afinfo_get_rcu")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index a62097e640b5..5a597dbbe564 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -648,8 +648,10 @@ xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
{
struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
- if (afinfo)
- afinfo->init_tempsel(&x->sel, fl);
+ if (!afinfo)
+ return;
+
+ afinfo->init_tempsel(&x->sel, fl);
if (family != tmpl->encap_family) {
afinfo = xfrm_state_afinfo_get_rcu(tmpl->encap_family);
--
2.7.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate
2017-01-13 13:55 [PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate Florian Westphal
@ 2017-01-16 13:24 ` Steffen Klassert
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2017-01-16 13:24 UTC (permalink / raw)
To: Florian Westphal; +Cc: netdev, dan.carpenter
On Fri, Jan 13, 2017 at 02:55:14PM +0100, Florian Westphal wrote:
> Dan reports following smatch warning:
> net/xfrm/xfrm_state.c:659
> error: we previously assumed 'afinfo' could be null (see line 651)
>
> 649 struct xfrm_state_afinfo *afinfo = xfrm_state_afinfo_get_rcu(family);
> 651 if (afinfo)
> ...
> 658 }
> 659 afinfo->init_temprop(x, tmpl, daddr, saddr);
>
> I am resonably sure afinfo cannot be NULL here.
>
> xfrm_state4.c and state6.c are both part of ipv4/ipv6 (depends on
> CONFIG_XFRM, a boolean) but even if ipv6 is a module state6.c can't
> be removed (ipv6 lacks module_exit so it cannot be removed).
>
> The only callers for xfrm6_fini that leads to state backend unregister
> are error unwinding paths that can be called during ipv6 init function.
>
> So after ipv6 module is loaded successfully the state backend cannot go
> away anymore.
>
> The family value from policy lookup path is taken from dst_entry, so
> that should always be AF_INET(6).
>
> However, since this silences the warning and avoids readers of this
> code wondering about possible null deref it seems preferrable to
> be defensive and just add the old check back.
>
> Fixes: 711059b9752ad0 ("xfrm: add and use xfrm_state_afinfo_get_rcu")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Applied to ipsec-next, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-16 13:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-13 13:55 [PATCH ipsec-next] xfrm: fix possible null deref in xfrm_init_tempstate Florian Westphal
2017-01-16 13:24 ` Steffen Klassert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.