Re: [kbuild] [PATCH] net/bluetooth: Fix bound check in event handling

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@01.org, Tomas Bortoli <tomasbortoli@gmail.com>
Cc: johan.hedberg@gmail.com, netdev@vger.kernel.org,
	marcel@holtmann.org, linux-kernel@vger.kernel.org,
	linux-bluetooth@vger.kernel.org, syzkaller@googlegroups.com,
	kbuild-all@01.org, davem@davemloft.net
Subject: Re: [kbuild] [PATCH] net/bluetooth: Fix bound check in event handling
Date: Sat, 30 Mar 2019 11:23:10 +0300	[thread overview]
Message-ID: <20190330082310.GV32613@kadam> (raw)
In-Reply-To: <20190330071757.GU32613@kadam>

On Sat, Mar 30, 2019 at 10:17:57AM +0300, Dan Carpenter wrote:
> [ This is an old warning.  Sorry for missing it earlier.  I would have
>   caught it when the code was merged as well so there was no real risk
>   but it's just awkward.  ]
> 
> Hi Tomas,
> 
> url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/net-bluetooth-Fix-bound-check-in-event-handling/20190301-213647
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
> 
> smatch warnings:
> net/bluetooth/hci_event.c:3986 hci_inquiry_result_with_rssi_evt() warn: potential pointer math issue ('info' is a 120 bit pointer)
> 
> # https://github.com/0day-ci/linux/commit/00305742c021794f147b348d45eb10ea26e5a514
> git remote add linux-review https://github.com/0day-ci/linux
> git remote update linux-review
> git checkout 00305742c021794f147b348d45eb10ea26e5a514
> vim +3986 net/bluetooth/hci_event.c
> 
> 6039aa73 Gustavo Padovan 2012-05-23  3963  static void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev,
> 807deac2 Gustavo Padovan 2012-05-17  3964  					     struct sk_buff *skb)
> a9de9248 Marcel Holtmann 2007-10-20  3965  {
> a9de9248 Marcel Holtmann 2007-10-20  3966  	struct inquiry_data data;
> a9de9248 Marcel Holtmann 2007-10-20  3967  	int num_rsp = *((__u8 *) skb->data);
> a9de9248 Marcel Holtmann 2007-10-20  3968  
> a9de9248 Marcel Holtmann 2007-10-20  3969  	BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
> a9de9248 Marcel Holtmann 2007-10-20  3970  
> a9de9248 Marcel Holtmann 2007-10-20  3971  	if (!num_rsp)
> a9de9248 Marcel Holtmann 2007-10-20  3972  		return;
> a9de9248 Marcel Holtmann 2007-10-20  3973  
> d7a5a11d Marcel Holtmann 2015-03-13  3974  	if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
> 1519cc17 Andre Guedes    2012-03-21  3975  		return;
> 1519cc17 Andre Guedes    2012-03-21  3976  
> a9de9248 Marcel Holtmann 2007-10-20  3977  	hci_dev_lock(hdev);
> a9de9248 Marcel Holtmann 2007-10-20  3978  
> a9de9248 Marcel Holtmann 2007-10-20  3979  	if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
> 138d22ef Szymon Janc     2011-02-17  3980  		struct inquiry_info_with_rssi_and_pscan_mode *info;
> 138d22ef Szymon Janc     2011-02-17  3981  		info = (void *) (skb->data + 1);
> a9de9248 Marcel Holtmann 2007-10-20  3982  
> e17acd40 Johan Hedberg   2011-03-30  3983  		for (; num_rsp; num_rsp--, info++) {
> af58925c Marcel Holtmann 2014-07-01  3984  			u32 flags;
> af58925c Marcel Holtmann 2014-07-01  3985  
> 00305742 Tomas Bortoli   2019-02-28 @3986  			if ((void *)(info + sizeof(info)) >
>                                                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> This should be (void *)info + sizeof(info).  The code you have will
                                ^^^^^^^^^^^^
				sizeof(*info)
Sorry...

regards,
dan carpenter

next prev parent reply	other threads:[~2019-03-30  8:23 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-28 19:59 [PATCH] net/bluetooth: Fix bound check in event handling Tomas Bortoli
2019-03-02 16:46 ` Marcel Holtmann
2019-03-02 23:17   ` Tomas Bortoli
2019-03-04 15:04 ` Dan Carpenter
2019-03-04 19:58   ` Tomas Bortoli
2019-03-04 20:20 ` Tomas Bortoli
2019-03-30  7:17 ` Dan Carpenter
2019-03-30  8:23   ` Dan Carpenter [this message]
2019-03-30 22:37   ` Tomas Bortoli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190330082310.GV32613@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=davem@davemloft.net \
    --cc=johan.hedberg@gmail.com \
    --cc=kbuild-all@01.org \
    --cc=kbuild@01.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=tomasbortoli@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.