[PATCH AUTOSEL for 4.9 32/54] net: sctp: fix array overrun read on sctp_timer_tbl

All of lore.kernel.org
 help / color / mirror / Atom feed

From: alexander.levin@verizon.com
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Colin Ian King <colin.king@canonical.com>,
	"David S . Miller" <davem@davemloft.net>,
	alexander.levin@verizon.com
Subject: [PATCH AUTOSEL for 4.9 32/54] net: sctp: fix array overrun read on sctp_timer_tbl
Date: Wed, 22 Nov 2017 22:23:59 +0000	[thread overview]
Message-ID: <20171122222344.19782-32-alexander.levin@verizon.com> (raw)
In-Reply-To: <20171122222344.19782-1-alexander.levin@verizon.com>

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ]

The comparison on the timeout can lead to an array overrun
read on sctp_timer_tbl because of an off-by-one error. Fix
this by using < instead of <= and also compare to the array
size rather than SCTP_EVENT_TIMEOUT_MAX.

Fixes CoverityScan CID#1397639 ("Out-of-bounds read")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
---
 net/sctp/debug.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index 95d7b15dad21..e371a0d90068 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[] = {
 /* Lookup timer debug name. */
 const char *sctp_tname(const sctp_subtype_t id)
 {
-	if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX)
+	if (id.timeout < ARRAY_SIZE(sctp_timer_tbl))
 		return sctp_timer_tbl[id.timeout];
 	return "unknown_timer";
 }
-- 
2.11.0

next prev parent reply	other threads:[~2017-11-22 23:19 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-11-22 22:23 [PATCH AUTOSEL for 4.9 01/54] dax: Avoid page invalidation races and unnecessary radix tree traversals alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 04/54] dmaengine: stm32-dma: Set correct args number for DMA request from DT alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 02/54] net/mlx4_en: Fix type mismatch for 32-bit systems alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 03/54] l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 06/54] usb: gadget: f_fs: Fix ExtCompat descriptor validation alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 07/54] libcxgb: fix error check for ip6_route_output() alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 08/54] net: systemport: Utilize skb_put_padto() alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 05/54] dmaengine: stm32-dma: Fix null pointer dereference in stm32_dma_tx_status alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 11/54] ARM: OMAP1: DMA: Correct the number of logical channels alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 13/54] be2net: fix accesses to unicast list alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 12/54] vti6: fix device register to report IFLA_INFO_KIND alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 10/54] ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 09/54] net: systemport: Pad packet before inserting TSB alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 14/54] be2net: fix unicast list filling alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 15/54] net/appletalk: Fix kernel memory disclosure alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 19/54] mac80211: calculate min channel width correctly alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 18/54] mm: fix remote numa hits statistics alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 16/54] libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 17/54] net: qrtr: Mark 'buf' as little endian alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 21/54] nfs: Don't take a reference on fl->fl_file for LOCK operation alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 20/54] ravb: Remove Rx overflow log messages alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 22/54] drm/exynos/decon5433: update shadow registers iff there are active windows alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 23/54] drm/exynos/decon5433: set STANDALONE_UPDATE_F also if planes are disabled alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 25/54] mac80211: prevent skb/txq mismatch alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 24/54] KVM: arm/arm64: Fix occasional warning from the timer work function alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 27/54] perf/x86/intel: Account interrupts for PEBS errors alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 26/54] NFSv4: Fix client recovery when server reboots multiple times alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 28/54] powerpc/mm: Fix memory hotplug BUG() on radix alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 29/54] qla2xxx: Fix wrong IOCB type assumption alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 31/54] drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 30/54] drm/amdgpu: fix bug set incorrect value to vce register alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 35/54] mac80211: don't try to sleep in rate_control_rate_init() alexander.levin
2017-11-22 22:23 ` alexander.levin [this message]
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 33/54] x86/fpu: Set the xcomp_bv when we fake up a XSAVES area alexander.levin
2017-11-22 22:23 ` [PATCH AUTOSEL for 4.9 34/54] drm/amdgpu: fix unload driver issue for virtual display alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 36/54] RDMA/qedr: Return success when not changing QP state alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 39/54] tipc: fix cleanup at module unload alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 37/54] RDMA/qedr: Fix RDMA CM loopback alexander.levin
2017-11-23  6:11   ` Amrani, Ram
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 38/54] tipc: fix nametbl_lock soft lockup at module exit alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 42/54] i2c: i2c-cadence: Initialize configuration before probing devices alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 44/54] gtp: clear DF bit on GTP packet tx alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 40/54] dmaengine: pl330: fix double lock alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 43/54] nvmet: cancel fatal error and flush async work before free controller alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 41/54] tcp: correct memory barrier usage in tcp_check_space() alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 47/54] net: thunderx: avoid dereferencing xcv when NULL alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 48/54] be2net: fix initial MAC setting alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 45/54] gtp: fix cross netns recv on gtp socket alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 46/54] net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 49/54] vfio/spapr: Fix missing mutex unlock when creating a window alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 50/54] mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 52/54] [media] cec: initiator should be the same as the destination for, poll alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 51/54] xen-netfront: Improve error handling during initialization alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 53/54] xen-netback: vif counters from int/long to u64 alexander.levin
2017-11-22 22:24 ` [PATCH AUTOSEL for 4.9 54/54] net: fec: fix multicast filtering hardware setup alexander.levin

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:95d7b15dad2 dfblob:e371a0d9006
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171122222344.19782-32-alexander.levin@verizon.com \
    --to=alexander.levin@verizon.com \
    --cc=colin.king@canonical.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.