From: Varun Prakash <varun@chelsio.com>
To: kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler()
Date: Wed, 28 Mar 2018 15:56:25 +0000 [thread overview]
Message-ID: <20180328154423.GA1918@chelsio.com> (raw)
In-Reply-To: <20171129114220.3qbwryxjnol6zmsk@mwanda>
On Wed, Mar 21, 2018 at 09:12:00PM -0400, Martin K. Petersen wrote:
>
> Varun: Please look at this. Thanks!
>
> > What happened to this one?
> >
> > regards,
> > dan carpenter
> >
> >
> > On Wed, Nov 29, 2017 at 02:42:20PM +0300, Dan Carpenter wrote:
> >> The story is that Smatch marks skb->data as untrusted and so it
> >> complains about this code:
> >>
> >> drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:2111 t4_uld_rx_handler()
> >> error: buffer overflow 'cxgb4i_cplhandlers' 239 <= 255.
> >>
> >> I don't know the code very well, but it looks like a reasonable warning
> >> message. Let's address it by adding a sanity check to make sure "opc"
> >> is within bounds.
> >>
> >> Fixes: bbc02c7e9d34 ("cxgb4: Add register, message, and FW definitions")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >>
> >> diff --git a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> index 266eddf17a99..94b2d5660a07 100644
> >> --- a/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> +++ b/drivers/scsi/cxgbi/cxgb4i/cxgb4i.c
> >> @@ -2108,12 +2108,12 @@ static int t4_uld_rx_handler(void *handle, const __be64 *rsp,
> >> log_debug(1 << CXGBI_DBG_TOE,
> >> "cdev %p, opcode 0x%x(0x%x,0x%x), skb %p.\n",
> >> cdev, opc, rpl->ot.opcode_tid, ntohl(rpl->ot.opcode_tid), skb);
> >> - if (cxgb4i_cplhandlers[opc])
> >> - cxgb4i_cplhandlers[opc](cdev, skb);
> >> - else {
> >> + if (opc >= ARRAY_SIZE(cxgb4i_cplhandlers) || !cxgb4i_cplhandlers[opc]) {
> >> pr_err("No handler for opcode 0x%x.\n", opc);
> >> __kfree_skb(skb);
> >> + return 0;
> >> }
> >> + cxgb4i_cplhandlers[opc](cdev, skb);
> >> return 0;
> >> nomem:
> >> log_debug(1 << CXGBI_DBG_TOE, "OOM bailing out.\n");
> >
> >
This check is not necessary but we can add it to avoid warning.
The commit mentioned in "Fixes" is not correct, this code was added in commit
"7b36b6e [SCSI] cxgb4i v5: iscsi driver"
Acked-by: Varun Prakash <varun@chelsio.com>
next prev parent reply other threads:[~2018-03-28 15:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-29 11:42 [PATCH] scsi: cxgb4i: potential array overflow in t4_uld_rx_handler() Dan Carpenter
2018-03-22 1:12 ` Martin K. Petersen
2018-03-28 15:56 ` Varun Prakash [this message]
2018-03-28 17:30 ` Dan Carpenter
2018-03-29 15:24 ` Varun Prakash
-- strict thread matches above, loose matches on Subject: below --
2018-03-15 11:07 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180328154423.GA1918@chelsio.com \
--to=varun@chelsio.com \
--cc=kernel-janitors@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).