* [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
@ 2007-05-19 5:13 Eugene Teo
2007-05-19 5:30 ` Randy Dunlap
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Eugene Teo @ 2007-05-19 5:13 UTC (permalink / raw)
To: linux-kernel; +Cc: Arnaldo Carvalho de Melo
skb_peek() might return an empty list. skb should be checked before calling
llc_pdu_sn_hdr() with it.
Spotted by the Coverity checker.
Signed-off-by: Eugene Teo <eteo@redhat.com>
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 3b8cfbe..28a3994 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -323,7 +323,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16
*how_many_unacked)
if (!q_len)
goto out;
- skb = skb_peek(&llc->pdu_unack_q);
+ if (! (skb = skb_peek(&llc->pdu_unack_q)))
+ goto out;
pdu = llc_pdu_sn_hdr(skb);
/* finding position of last acked pdu in queue */
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:13 [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference Eugene Teo
@ 2007-05-19 5:30 ` Randy Dunlap
2007-05-19 5:44 ` Eugene Teo
` (2 more replies)
2007-05-19 5:43 ` Herbert Xu
2007-05-19 5:59 ` David Miller
2 siblings, 3 replies; 8+ messages in thread
From: Randy Dunlap @ 2007-05-19 5:30 UTC (permalink / raw)
To: Eugene Teo; +Cc: linux-kernel, Arnaldo Carvalho de Melo
On Sat, 19 May 2007 13:13:07 +0800 Eugene Teo wrote:
> skb_peek() might return an empty list. skb should be checked before calling
> llc_pdu_sn_hdr() with it.
>
> Spotted by the Coverity checker.
>
> Signed-off-by: Eugene Teo <eteo@redhat.com>
Hi Eugene,
Networking patches need to be sent to the netdev@vger.kernel.org
mailing list (and lkml can be omitted IMHO).
But... instead of doing the assignment and test in one swoop,
we prefer:
> if (!q_len)
> goto out;
> skb = skb_peek(&llc->pdu_unack_q);
> + if (!skb)
> + goto out;
> pdu = llc_pdu_sn_hdr(skb);
Oh, and your patch has spaces instead of tabs. It's a hassle to
get thunderbird to send a patch that preserves tabs. See if this:
http://mbligh.org/linuxdocs/Email/Clients/Thunderbird
helps you any.
> diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
> index 3b8cfbe..28a3994 100644
> --- a/net/llc/llc_conn.c
> +++ b/net/llc/llc_conn.c
> @@ -323,7 +323,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16
> *how_many_unacked)
>
> if (!q_len)
> goto out;
> - skb = skb_peek(&llc->pdu_unack_q);
> + if (! (skb = skb_peek(&llc->pdu_unack_q)))
> + goto out;
> pdu = llc_pdu_sn_hdr(skb);
>
> /* finding position of last acked pdu in queue */
>
> -
---
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:13 [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference Eugene Teo
2007-05-19 5:30 ` Randy Dunlap
@ 2007-05-19 5:43 ` Herbert Xu
2007-05-19 5:59 ` David Miller
2 siblings, 0 replies; 8+ messages in thread
From: Herbert Xu @ 2007-05-19 5:43 UTC (permalink / raw)
To: Eugene Teo; +Cc: linux-kernel, acme, netdev
Eugene Teo <eteo@redhat.com> wrote:
>
> diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
> index 3b8cfbe..28a3994 100644
> --- a/net/llc/llc_conn.c
> +++ b/net/llc/llc_conn.c
> @@ -323,7 +323,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16
> *how_many_unacked)
>
> if (!q_len)
> goto out;
> - skb = skb_peek(&llc->pdu_unack_q);
> + if (! (skb = skb_peek(&llc->pdu_unack_q)))
> + goto out;
Actually we just checked that the queue length is non-zero so there
must be a packet there unless someone's just removed it. If it were
possible for someone else to remove it in parallel, then we've got
bigger problems to worry about :)
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:30 ` Randy Dunlap
@ 2007-05-19 5:44 ` Eugene Teo
2007-05-19 5:49 ` Eugene Teo
2007-05-19 6:01 ` David Miller
2 siblings, 0 replies; 8+ messages in thread
From: Eugene Teo @ 2007-05-19 5:44 UTC (permalink / raw)
To: Randy Dunlap; +Cc: linux-kernel, Arnaldo Carvalho de Melo
Hi Randy,
Randy Dunlap wrote:
> On Sat, 19 May 2007 13:13:07 +0800 Eugene Teo wrote:
>
>> skb_peek() might return an empty list. skb should be checked before calling
>> llc_pdu_sn_hdr() with it.
>>
>> Spotted by the Coverity checker.
>>
>> Signed-off-by: Eugene Teo <eteo@redhat.com>
[...]
>
> Networking patches need to be sent to the netdev@vger.kernel.org
> mailing list (and lkml can be omitted IMHO).
>
> But... instead of doing the assignment and test in one swoop,
> we prefer:
Right, thanks for the reminder!
Eugene
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:30 ` Randy Dunlap
2007-05-19 5:44 ` Eugene Teo
@ 2007-05-19 5:49 ` Eugene Teo
2007-05-19 6:03 ` David Miller
2007-05-19 6:01 ` David Miller
2 siblings, 1 reply; 8+ messages in thread
From: Eugene Teo @ 2007-05-19 5:49 UTC (permalink / raw)
To: netdev; +Cc: Arnaldo Carvalho de Melo, Randy Dunlap, Eugene Teo
[-- Attachment #1: Type: text/plain, Size: 696 bytes --]
Randy Dunlap wrote:
> On Sat, 19 May 2007 13:13:07 +0800 Eugene Teo wrote:
>
>> skb_peek() might return an empty list. skb should be checked before calling
>> llc_pdu_sn_hdr() with it.
>>
>> Spotted by the Coverity checker.
>>
>> Signed-off-by: Eugene Teo <eteo@redhat.com>
[...]
>
> Oh, and your patch has spaces instead of tabs. It's a hassle to
> get thunderbird to send a patch that preserves tabs. See if this:
> http://mbligh.org/linuxdocs/Email/Clients/Thunderbird
> helps you any.
Here's a resend:
skb_peek() might return an empty list. skb should be checked before calling
llc_pdu_sn_hdr() with it.
Spotted by the Coverity checker.
Signed-off-by: Eugene Teo <eteo@redhat.com>
[-- Attachment #2: 2.6-llc_conn.patch --]
[-- Type: text/x-patch, Size: 403 bytes --]
diff --git a/net/llc/llc_conn.c b/net/llc/llc_conn.c
index 3b8cfbe..6d3a07e 100644
--- a/net/llc/llc_conn.c
+++ b/net/llc/llc_conn.c
@@ -324,6 +324,8 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked)
if (!q_len)
goto out;
skb = skb_peek(&llc->pdu_unack_q);
+ if (!skb)
+ goto out;
pdu = llc_pdu_sn_hdr(skb);
/* finding position of last acked pdu in queue */
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:13 [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference Eugene Teo
2007-05-19 5:30 ` Randy Dunlap
2007-05-19 5:43 ` Herbert Xu
@ 2007-05-19 5:59 ` David Miller
2 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2007-05-19 5:59 UTC (permalink / raw)
To: eteo; +Cc: linux-kernel, acme
From: Eugene Teo <eteo@redhat.com>
Date: Sat, 19 May 2007 13:13:07 +0800
> skb_peek() might return an empty list. skb should be checked before calling
> llc_pdu_sn_hdr() with it.
>
> Spotted by the Coverity checker.
>
> Signed-off-by: Eugene Teo <eteo@redhat.com>
The code checks skb_queue_len() for zero first, therefore NULL is
impossible.
Can you check this kind of stuff before submitting patches like this?
Thank you.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:30 ` Randy Dunlap
2007-05-19 5:44 ` Eugene Teo
2007-05-19 5:49 ` Eugene Teo
@ 2007-05-19 6:01 ` David Miller
2 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2007-05-19 6:01 UTC (permalink / raw)
To: randy.dunlap; +Cc: eteo, linux-kernel, acme
From: Randy Dunlap <randy.dunlap@oracle.com>
Date: Fri, 18 May 2007 22:30:05 -0700
> Networking patches need to be sent to the netdev@vger.kernel.org
> mailing list (and lkml can be omitted IMHO).
>
> But... instead of doing the assignment and test in one swoop,
> we prefer:
In any event the patch is totally bogus because the
code checks to make sure skb_queue_len() != 0 first
so NULL cannot occur.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference
2007-05-19 5:49 ` Eugene Teo
@ 2007-05-19 6:03 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2007-05-19 6:03 UTC (permalink / raw)
To: eteo; +Cc: netdev, acme, randy.dunlap
From: Eugene Teo <eteo@redhat.com>
Date: Sat, 19 May 2007 13:49:11 +0800
> Spotted by the Coverity checker.
Why am I not surprised :-(
There is no bug here, if Coverity warns every single time skb_peek()
is used and not tested against NULL, that's a very serious shortcoming
of Coverity or what it has been taught about SKB queues.
It needs to learn that skb_queue_len() != 0 implies skb_peek() will
not return NULL sans locking errors.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-05-19 6:03 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-05-19 5:13 [2.6 patch] net/llc/llc_conn.c: fix possible NULL dereference Eugene Teo
2007-05-19 5:30 ` Randy Dunlap
2007-05-19 5:44 ` Eugene Teo
2007-05-19 5:49 ` Eugene Teo
2007-05-19 6:03 ` David Miller
2007-05-19 6:01 ` David Miller
2007-05-19 5:43 ` Herbert Xu
2007-05-19 5:59 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.