From: Dan Carpenter <dan.carpenter@oracle.com>
To: Karen Xie <kxie@chelsio.com>, Dimitris Michailidis <dm@chelsio.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler()
Date: Wed, 29 Nov 2017 11:42:20 +0000 [thread overview]
Message-ID: <20171129114220.3qbwryxjnol6zmsk@mwanda> (raw)
The story is that Smatch marks skb->data as untrusted and so it
complains about this code:
drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler()
error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255.
I don't know the code very well, but it looks like a reasonable warning
message. Let's address it by adding a sanity check to make sure "opc"
is within bounds.
Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
index 266eddf17a99..94b2d5660a07 100644
--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
@@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp,
log_debug(1 << CXGBI_DBG_TOE,
"cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n",
cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb);
- if (cxgb4i_cplhandlers[opc])
- cxgb4i_cplhandlers[opc](cdev, skb);
- else {
+ if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) {
pr_err("No handler for opcode 0x%x.\n", opc);
__kfree_skb(skb);
+ return 0;
}
+ cxgb4i_cplhandlers[opc](cdev, skb);
return 0;
nomem:
log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Karen Xie <kxie@chelsio.com>, Dimitris Michailidis <dm@chelsio.com>
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler()
Date: Wed, 29 Nov 2017 14:42:20 +0300 [thread overview]
Message-ID: <20171129114220.3qbwryxjnol6zmsk@mwanda> (raw)
The story is that Smatch marks skb->data as untrusted and so it
complains about this code:
drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler()
error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255.
I don't know the code very well, but it looks like a reasonable warning
message. Let's address it by adding a sanity check to make sure "opc"
is within bounds.
Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
index 266eddf17a99..94b2d5660a07 100644
--- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
+++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
@@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp,
log_debug(1 << CXGBI_DBG_TOE,
"cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n",
cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb);
- if (cxgb4i_cplhandlers[opc])
- cxgb4i_cplhandlers[opc](cdev, skb);
- else {
+ if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) {
pr_err("No handler for opcode 0x%x.\n", opc);
__kfree_skb(skb);
+ return 0;
}
+ cxgb4i_cplhandlers[opc](cdev, skb);
return 0;
nomem:
log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
next reply other threads:[~2017-11-29 11:42 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 11:42 Dan Carpenter [this message]
2017-11-29 11:42 ` [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Dan Carpenter
2018-03-22 1:12 ` Martin K. Petersen
2018-03-28 15:56 ` Varun Prakash
2018-03-28 17:30 ` Dan Carpenter
2018-03-29 15:24 ` Varun Prakash
2018-03-15 11:07 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171129114220.3qbwryxjnol6zmsk@mwanda \
--to=dan.carpenter@oracle.com \
--cc=dm@chelsio.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kxie@chelsio.com \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.