Re: [PATCH v3] char: tty3270: fix a missing check on list iterator

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28. 03. 22, 12:27, Xiaomeng Tong wrote:
On Mon, 28 Mar 2022 12:09:59 +0200, Jiri Slaby wrote:
On 28. 03. 22, 11:35, Xiaomeng Tong wrote:
The bug is here:
	if (s->len != flen) {

The list iterator 's' will point to a bogus position containing
HEAD if the list is empty or no element is found.

Could you also explain how that can happen?


When list_for_each_entry_* do not early exits (if the list is empty
or no break/goto/return hit inside the loop), it will set pos ('s' here)
with a bogus pointer that point to a invalid struct computed based
on &HEAD using container_of.

#define list_for_each_entry(pos, head, member)                          \
         for (pos = list_first_entry(head, typeof(*pos), member);        \
              !list_entry_is_head(pos, head, member);                    \
              pos = list_next_entry(pos, member))

No, I didn't mean what happens on that site on the code level. I think everyone understands that. Instead, I meant: what circumstances lead to this _situation_ in reality?

thanks,
--
js
suse labs



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux