On Tue, Oct 29, 2013 at 12:10 PM, Dan Carpenter
<dan.carpenter@xxxxxxxxxx> wrote:
> If "fibsize" is zero then it leads to a ZERO_SIZE_PTR dereference when
> we dereference user_srbcmd.
Btw, these "ZERO_SIZE_PTR dereference" issues aren't about
ZERO_SIZE_PTR, they are about overrunning the allocations. The
ZERO_SIZE_PTR pointer is a perfectly valid pointer and can be
dereferenced just fine, as long as you stay within the allocation
size.
Think about it.
So I really get the feeling that checking for a zero size is very
wrong. If we can access the ZERO_SIZE_PTR, that means that we at some
point don't check the size limits, and if that's true for the zero
size, I don't see why that wouldn't be true for *other* sizes too..
I didn't check this particular case, and maybe zero really is special.
But it's not clear at all why it should be. Can you explain why zero
is special here, and why the buffer overrun cannot happen with size 1,
for example?
Because quite frankly, from what I can tell, testing against zero is
absolutely *WRONG*. Any size less than the size of "struct
user_aac_srb" would seem to be bogus.
This has nothing to do with zero, or with ZERO_SIZE_PTR.
Tell me why I'm wrong.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
