From: Varun Prakash <varun@chelsio.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler()
Date: Wed, 28 Mar 2018 15:56:25 +0000 [thread overview]
Message-ID: <20180328154423.GA1918@chelsio.com> (raw)
In-Reply-To: <20171129114220.3qbwryxjnol6zmsk@mwanda>
On Wed, Mar 21, 2018 at 09:12:00PM -0400, Martin K. Petersen wrote:
>
> Varun: Please look at this. Thanks!
>
> > What happened to this one?
> >
> > regards,
> > dan carpenter
> >
> >
> > On Wed, Nov 29, 2017 at 02:42:20PM +0300, Dan Carpenter wrote:
> >> The story is that Smatch marks skb->data as untrusted and so it
> >> complains about this code:
> >>
> >> drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler()
> >> error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255.
> >>
> >> I don't know the code very well, but it looks like a reasonable warning
> >> message. Let's address it by adding a sanity check to make sure "opc"
> >> is within bounds.
> >>
> >> Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >>
> >> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> index 266eddf17a99..94b2d5660a07 100644
> >> --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> @@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp,
> >> log_debug(1 << CXGBI_DBG_TOE,
> >> "cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n",
> >> cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb);
> >> - if (cxgb4i_cplhandlers[opc])
> >> - cxgb4i_cplhandlers[opc](cdev, skb);
> >> - else {
> >> + if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) {
> >> pr_err("No handler for opcode 0x%x.\n", opc);
> >> __kfree_skb(skb);
> >> + return 0;
> >> }
> >> + cxgb4i_cplhandlers[opc](cdev, skb);
> >> return 0;
> >> nomem:
> >> log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
> >
> >
This check is not necessary but we can add it to avoid warning.
The commit mentioned in "Fixes" is not correct, this code was added in commit
"7b36b6e [SCSI] cxgb4i v5: iscsi driver"
Acked-by: Varun Prakash <varun@chelsio.com>
next prev parent reply other threads:[~2018-03-28 15:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 11:42 [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Dan Carpenter
2017-11-29 11:42 ` Dan Carpenter
2018-03-22 1:12 ` Martin K. Petersen
2018-03-28 15:56 ` Varun Prakash [this message]
2018-03-28 17:30 ` Dan Carpenter
2018-03-29 15:24 ` Varun Prakash
-- strict thread matches above, loose matches on Subject: below --
2018-03-15 11:07 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180328154423.GA1918@chelsio.com \
--to=varun@chelsio.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.