flaw in "nf_tables: add reject module for NFPROTO_INET"

flaw in "nf_tables: add reject module for NFPROTO_INET"

[Kees Cook]

Hi,

This seems like a legit problem detected by Coverity. Looks like a break is
missing?

-Kees

On Tue, Feb 11, 2014 at 11:34:33PM -0800, scan-admin@coverity.com wrote:
> 
> Hi,
> 
> 
> Please find the latest report on new defect(s) introduced to Linux found with Coverity Scan.
> 
> Defect(s) Reported-by: Coverity Scan
> Showing 1 of 1 defect(s)
> 
> 
> ** CID 1171942:  Missing break in switch  (MISSING_BREAK)
> /net/netfilter/nft_reject_inet.c: 25 in nft_reject_inet_eval()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1171942:  Missing break in switch  (MISSING_BREAK)
> /net/netfilter/nft_reject_inet.c: 25 in nft_reject_inet_eval()
> 19     				 struct nft_data data[NFT_REG_MAX + 1],
> 20     				 const struct nft_pktinfo *pkt)
> 21     {
> 22     	switch (pkt->ops->pf) {
> 23     	case NFPROTO_IPV4:
> 24     		nft_reject_ipv4_eval(expr, data, pkt);
> >>>     CID 1171942:  Missing break in switch  (MISSING_BREAK)
> >>>     The above case falls through to this one.
> 25     	case NFPROTO_IPV6:
> 26     		nft_reject_ipv6_eval(expr, data, pkt);
> 27     	}
> 28     }
> 29     
> 30     static struct nft_expr_type nft_reject_inet_type;

-- 
Kees Cook                                            @outflux.net

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Dave Jones]

On Wed, Feb 12, 2014 at 12:43:08PM -0800, Kees Cook wrote:
 > Hi,
 > 
 > This seems like a legit problem detected by Coverity. Looks like a break is
 > missing?

yup, reported this morning. 
(Also note that I changed the state in coverity once Patrick confirmed it)

	Dave

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Kees Cook]

On Wed, Feb 12, 2014 at 03:50:37PM -0500, Dave Jones wrote:
> On Wed, Feb 12, 2014 at 12:43:08PM -0800, Kees Cook wrote:
>  > Hi,
>  > 
>  > This seems like a legit problem detected by Coverity. Looks like a break is
>  > missing?
> 
> yup, reported this morning. 
> (Also note that I changed the state in coverity once Patrick confirmed it)

Ah, sorry for the noise then! I missed Dave's earlier the bug report email.

-Kees

-- 
Kees Cook                                            @outflux.net

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Dave Jones]

On Wed, Feb 12, 2014 at 12:54:53PM -0800, Kees Cook wrote:
 > On Wed, Feb 12, 2014 at 03:50:37PM -0500, Dave Jones wrote:
 > > On Wed, Feb 12, 2014 at 12:43:08PM -0800, Kees Cook wrote:
 > >  > Hi,
 > >  > 
 > >  > This seems like a legit problem detected by Coverity. Looks like a break is
 > >  > missing?
 > > 
 > > yup, reported this morning. 
 > > (Also note that I changed the state in coverity once Patrick confirmed it)
 > 
 > Ah, sorry for the noise then! I missed Dave's earlier the bug report email.

I wonder if it's worth getting a coverity@vger.kernel.org list set up for
cc'ing stuff like this to reduce dupe reports (though this is the first I
recall in a while), and for review of patches etc before forwarding them on
to their relevant list/maintainers.

thoughts?

	Dave

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Kees Cook]

On Wed, Feb 12, 2014 at 04:03:47PM -0500, Dave Jones wrote:
> I wonder if it's worth getting a coverity@vger.kernel.org list set up for
> cc'ing stuff like this to reduce dupe reports (though this is the first I
> recall in a while), and for review of patches etc before forwarding them on
> to their relevant list/maintainers.
> 
> thoughts?

I'd be up for it. It's why I CC'd you, I figured if I'd missed the
report it would have likely have come from you. :) Perhaps just start
by CCing each other, and if others want to get in on the fun too, move
to a list then?

-Kees

-- 
Kees Cook                                            @outflux.net

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[tytso]

On Wed, Feb 12, 2014 at 01:05:54PM -0800, Kees Cook wrote:
> 
> I'd be up for it. It's why I CC'd you, I figured if I'd missed the
> report it would have likely have come from you. :) Perhaps just start
> by CCing each other, and if others want to get in on the fun too, move
> to a list then?

I'm paying attention to Linux kernel coverity reports (as well as
working on my goal to drive the number of e2fsprogs coverity reports
to zero :-), so feel free to CC me on any reports.

Cheers,

						- Ted

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Kees Cook]

On Wed, Feb 12, 2014 at 09:31:51PM +0000, tytso@mit.edu wrote:
> I'm paying attention to Linux kernel coverity reports (as well as
> working on my goal to drive the number of e2fsprogs coverity reports
> to zero :-), so feel free to CC me on any reports.

Okay, 3 people sounds like "we need a mailing list". :) Who's best to
ask for that?

-Kees

-- 
Kees Cook                                            @outflux.net

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[Theodore Ts'o]

On Wed, Feb 12, 2014 at 01:41:12PM -0800, Kees Cook wrote:
> On Wed, Feb 12, 2014 at 09:31:51PM +0000, tytso@mit.edu wrote:
> > I'm paying attention to Linux kernel coverity reports (as well as
> > working on my goal to drive the number of e2fsprogs coverity reports
> > to zero :-), so feel free to CC me on any reports.
> 
> Okay, 3 people sounds like "we need a mailing list". :) Who's best to
> ask for that?

+postmaster@vger.kernel.org

Hi Dave, Matti,

Would it be possible to set up a new mailing list on vger.kernel.org,
linux-coverity@vger.kernel.org?

Many thanks!!

					- Ted

Re: flaw in "nf_tables: add reject module for NFPROTO_INET"

[David Miller]

From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 12 Feb 2014 17:40:58 -0500

> Would it be possible to set up a new mailing list on vger.kernel.org,
> linux-coverity@vger.kernel.org?

Done.