All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kernel-janitors@vger.kernel.org
Subject: [bug report] [ETH]: Make eth_type_trans set skb->dev like the other *_type_trans
Date: Wed, 02 May 2018 12:41:39 +0000	[thread overview]
Message-ID: <20180502124139.GA24433@mwanda> (raw)

Hi Santosh.  This one is very old...

The patch 4c13eb6657fe: "[ETH]: Make eth_type_trans set skb->dev like
the other *_type_trans" from Apr 25, 2007, leads to the following
static checker warning:

	drivers/net/ethernet/chelsio/cxgb3/sge.c:2087 rx_eth()
	error: buffer overflow 'adap->port' 2 <= 15 user_rl='0-15'

drivers/net/ethernet/chelsio/cxgb3/sge.c
  2068  /**
  2069   *      rx_eth - process an ingress ethernet packet
  2070   *      @adap: the adapter
  2071   *      @rq: the response queue that received the packet
  2072   *      @skb: the packet
  2073   *      @pad: amount of padding at the start of the buffer
  2074   *
  2075   *      Process an ingress ethernet pakcet and deliver it to the stack.
  2076   *      The padding is 2 if the packet was delivered in an Rx buffer and 0
  2077   *      if it was immediate data in a response.
  2078   */
  2079  static void rx_eth(struct adapter *adap, struct sge_rspq *rq,
  2080                     struct sk_buff *skb, int pad, int lro)
  2081  {
  2082          struct cpl_rx_pkt *p = (struct cpl_rx_pkt *)(skb->data + pad);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch always distruts skb->data.

  2083          struct sge_qset *qs = rspq_to_qset(rq);
  2084          struct port_info *pi;
  2085  
  2086          skb_pull(skb, sizeof(*p) + pad);
  2087          skb->protocol = eth_type_trans(skb, adap->port[p->iff]);
                                                               ^^^^^^
How do we know this doesn't is within bounds?

  2088          pi = netdev_priv(skb->dev);
  2089          if ((skb->dev->features & NETIF_F_RXCSUM) && p->csum_valid &&
  2090              p->csum = htons(0xffff) && !p->fragment) {
  2091                  qs->port_stats[SGE_PSTAT_RX_CSUM_GOOD]++;
  2092                  skb->ip_summed = CHECKSUM_UNNECESSARY;
  2093          } else
  2094                  skb_checksum_none_assert(skb);
  2095          skb_record_rx_queue(skb, qs - &adap->sge.qs[pi->first_qset]);
  2096  
  2097          if (p->vlan_valid) {
  2098                  qs->port_stats[SGE_PSTAT_VLANEX]++;
  2099                  __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), ntohs(p->vlan));
  2100          }


regards,
dan carpenter

                 reply	other threads:[~2018-05-02 12:41 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180502124139.GA24433@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=kernel-janitors@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.