On Fri, Jan 20, 2017 at 01:01:57PM +0000, Colin King wrote: > From: Colin Ian King <colin.king@xxxxxxxxxxxxx> > > The comparison on the timeout can lead to an array overrun > read on sctp_timer_tbl because of an off-by-one error. Fix > this by using < instead of <= and also compare to the array > size rather than SCTP_EVENT_TIMEOUT_MAX. > > Fixes CoverityScan CID#1397639 ("Out-of-bounds read") > > Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx> > --- > net/sctp/debug.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/sctp/debug.c b/net/sctp/debug.c > index 95d7b15..e371a0d 100644 > --- a/net/sctp/debug.c > +++ b/net/sctp/debug.c > @@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[] = { > /* Lookup timer debug name. */ > const char *sctp_tname(const sctp_subtype_t id) > { > - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) > + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) > return sctp_timer_tbl[id.timeout]; The issue exists but this is not the right fix. Issue was introduced by 7b9438de0cd4 ("sctp: add stream reconf timer") as it introduced a new timer but didn't add the timer name here, so the fix should (also) include: diff --git a/net/sctp/debug.c b/net/sctp/debug.c index 95d7b15dad21..c5f4ed5242ac 100644 --- a/net/sctp/debug.c +++ b/net/sctp/debug.c @@ -159,6 +159,7 @@ static const char *const sctp_timer_tbl[] = { "TIMEOUT_T4_RTO", "TIMEOUT_T5_SHUTDOWN_GUARD", "TIMEOUT_HEARTBEAT", + "TIMEOUT_RECONF", "TIMEOUT_SACK", "TIMEOUT_AUTOCLOSE", }; Thanks, Marcelo > return "unknown_timer"; > } > -- > 2.10.2 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html