From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752154AbdATN70 (ORCPT ); Fri, 20 Jan 2017 08:59:26 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44748 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751941AbdATN7Y (ORCPT ); Fri, 20 Jan 2017 08:59:24 -0500 Date: Fri, 20 Jan 2017 11:58:45 -0200 From: Marcelo Ricardo Leitner To: Colin King Cc: Vlad Yasevich , Neil Horman , "David S . Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH][V2] net: sctp: fix array overrun read on sctp_timer_tbl Message-ID: <20170120135845.GT3781@localhost.localdomain> References: <20170120134542.21104-1-colin.king@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170120134542.21104-1-colin.king@canonical.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 20 Jan 2017 13:58:51 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 20, 2017 at 01:45:42PM +0000, Colin King wrote: > From: Colin Ian King > > Table sctp_timer_tbl is missing a TIMEOUT_RECONF string so > add this in. Also compare timeout with the size of the array > sctp_timer_tbl rather than SCTP_EVENT_TIMEOUT_MAX. Also add > a build time check that SCTP_EVENT_TIMEOUT_MAX is correct > so we don't ever get this kind of mismatch between the table > and SCTP_EVENT_TIMEOUT_MAX in the future. > > Kudos to Marcel Ricardo Leitner for spotting the missing string > and suggesting the build time sanity check. > > Fixes CoverityScan CID#1397639 ("Out-of-bounds read") > > Signed-off-by: Colin Ian King Not sure I can add the Fixes tag for you here, but: Fixes: 7b9438de0cd4 ("sctp: add stream reconf timer") Acked-by: Marcelo Ricardo Leitner Thanks > --- > net/sctp/debug.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/sctp/debug.c b/net/sctp/debug.c > index 95d7b15..2e47eb2 100644 > --- a/net/sctp/debug.c > +++ b/net/sctp/debug.c > @@ -159,6 +159,7 @@ static const char *const sctp_timer_tbl[] = { > "TIMEOUT_T4_RTO", > "TIMEOUT_T5_SHUTDOWN_GUARD", > "TIMEOUT_HEARTBEAT", > + "TIMEOUT_RECONF", > "TIMEOUT_SACK", > "TIMEOUT_AUTOCLOSE", > }; > @@ -166,7 +167,9 @@ static const char *const sctp_timer_tbl[] = { > /* Lookup timer debug name. */ > const char *sctp_tname(const sctp_subtype_t id) > { > - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) > + BUILD_BUG_ON(SCTP_EVENT_TIMEOUT_MAX + 1 != ARRAY_SIZE(sctp_timer_tbl)); > + > + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) > return sctp_timer_tbl[id.timeout]; > return "unknown_timer"; > } > -- > 2.10.2 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >