From: David Howells <dhowells@redhat.com>
To: Tom Rix <trix@redhat.com>
Cc: dhowells@redhat.com, davem@davemloft.net, kuba@kernel.org,
natechancellor@gmail.com, ndesaulniers@google.com,
linux-afs@lists.infradead.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com
Subject: Re: [PATCH] rxrpc: fix handling of an unsupported token type in rxrpc_read()
Date: Wed, 06 Jan 2021 16:57:05 +0000 [thread overview]
Message-ID: <548097.1609952225@warthog.procyon.org.uk> (raw)
In-Reply-To: <c2cc898d-171a-25da-c565-48f57d407777@redhat.com>
How about this?
David
---
commit 5d370a9db65a6fae82f09a009430ae40c564b0ef
Author: David Howells <dhowells@redhat.com>
Date: Wed Jan 6 16:21:40 2021 +0000
rxrpc: Fix handling of an unsupported token type in rxrpc_read()
Clang static analysis reports the following:
net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
toksize = toksizes[tok++];
^ ~~~~~~~~~~~~~~~
rxrpc_read() contains two consecutive loops. The first loop calculates the
token sizes and stores the results in toksizes[] and the second one uses
the array. When there is an error in identifying the token in the first
loop, the token is skipped, no change is made to the toksizes[] array.
When the same error happens in the second loop, the token is not skipped.
This will cause the toksizes[] array to be out of step and will overrun
past the calculated sizes.
Fix the second loop so that it doesn't encode the size and type of an
unsupported token, but rather just ignore it as does the first loop.
Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
Reported-by: Tom Rix <trix@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 9631aa8543b5..c8e298c8d314 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -655,12 +655,12 @@ static long rxrpc_read(const struct key *key,
tok = 0;
for (token = key->payload.data[0]; token; token = token->next) {
toksize = toksizes[tok++];
- ENCODE(toksize);
oldxdr = xdr;
- ENCODE(token->security_index);
switch (token->security_index) {
case RXRPC_SECURITY_RXKAD:
+ ENCODE(toksize);
+ ENCODE(token->security_index);
ENCODE(token->kad->vice_id);
ENCODE(token->kad->kvno);
ENCODE_BYTES(8, token->kad->session_key);
next prev parent reply other threads:[~2021-01-06 16:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-29 17:39 [PATCH] rxrpc: fix handling of an unsupported token type in rxrpc_read() trix
2021-01-04 12:50 ` David Howells
2021-01-04 15:04 ` Tom Rix
2021-01-06 16:57 ` David Howells [this message]
2021-01-06 17:40 ` David Howells
2021-01-06 19:34 ` Tom Rix
2021-01-06 19:44 ` David Howells
2021-01-06 20:38 ` Tom Rix
2021-01-06 21:09 ` David Howells
2021-01-06 22:09 ` Tom Rix
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=548097.1609952225@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=clang-built-linux@googlegroups.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=natechancellor@gmail.com \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.