From: Dan Carpenter <dan.carpenter@oracle.com> To: Karen Xie <kxie@chelsio.com>, Dimitris Michailidis <dm@chelsio.com> Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Date: Wed, 29 Nov 2017 11:42:20 +0000 [thread overview] Message-ID: <20171129114220.3qbwryxjnol6zmsk@mwanda> (raw) The story is that Smatch marks skb->data as untrusted and so it complains about this code: drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler() error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255. I don't know the code very well, but it looks like a reasonable warning message. Let's address it by adding a sanity check to make sure "opc" is within bounds. Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c index 266eddf17a99..94b2d5660a07 100644 --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c @@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp, log_debug(1 << CXGBI_DBG_TOE, "cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n", cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb); - if (cxgb4i_cplhandlers[opc]) - cxgb4i_cplhandlers[opc](cdev, skb); - else { + if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) { pr_err("No handler for opcode 0x%x.\n", opc); __kfree_skb(skb); + return 0; } + cxgb4i_cplhandlers[opc](cdev, skb); return 0; nomem: log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com> To: Karen Xie <kxie@chelsio.com>, Dimitris Michailidis <dm@chelsio.com> Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Date: Wed, 29 Nov 2017 14:42:20 +0300 [thread overview] Message-ID: <20171129114220.3qbwryxjnol6zmsk@mwanda> (raw) The story is that Smatch marks skb->data as untrusted and so it complains about this code: drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler() error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255. I don't know the code very well, but it looks like a reasonable warning message. Let's address it by adding a sanity check to make sure "opc" is within bounds. Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c index 266eddf17a99..94b2d5660a07 100644 --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c @@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp, log_debug(1 << CXGBI_DBG_TOE, "cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n", cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb); - if (cxgb4i_cplhandlers[opc]) - cxgb4i_cplhandlers[opc](cdev, skb); - else { + if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) { pr_err("No handler for opcode 0x%x.\n", opc); __kfree_skb(skb); + return 0; } + cxgb4i_cplhandlers[opc](cdev, skb); return 0; nomem: log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
next reply other threads:[~2017-11-29 11:42 UTC|newest] Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-11-29 11:42 Dan Carpenter [this message] 2017-11-29 11:42 ` [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Dan Carpenter 2018-03-22 1:12 ` Martin K. Petersen 2018-03-28 15:56 ` Varun Prakash 2018-03-28 17:30 ` Dan Carpenter 2018-03-29 15:24 ` Varun Prakash 2018-03-15 11:07 Dan Carpenter
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20171129114220.3qbwryxjnol6zmsk@mwanda \ --to=dan.carpenter@oracle.com \ --cc=dm@chelsio.com \ --cc=jejb@linux.vnet.ibm.com \ --cc=kernel-janitors@vger.kernel.org \ --cc=kxie@chelsio.com \ --cc=linux-scsi@vger.kernel.org \ --cc=martin.petersen@oracle.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.