[bug report] cxgbit: add files for cxgbit.ko

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Varun Prakash,

The patch 9730ffcb8957: "cxgbit: add files for cxgbit.ko" from Apr
20, 2016, leads to the following static checker warning:

	drivers/target/iscsi/cxgbit/cxgbit_target.c:1442 cxgbit_lro_skb_merge()
	warn: buffer overflow 'ssi->frags' 17 <= 255

	drivers/target/iscsi/cxgbit/cxgbit_target.c:1464 cxgbit_lro_skb_merge()
	warn: buffer overflow 'ssi->frags' 17 <= 255

drivers/target/iscsi/cxgbit/cxgbit_target.c
  1425  cxgbit_lro_skb_merge(struct cxgbit_sock *csk, struct sk_buff *skb, u8 pdu_idx)
  1426  {
  1427          struct sk_buff *hskb = csk->lro_hskb;
  1428          struct cxgbit_lro_pdu_cb *hpdu_cb = cxgbit_skb_lro_pdu_cb(hskb, 0);
  1429          struct cxgbit_lro_pdu_cb *pdu_cb = cxgbit_skb_lro_pdu_cb(skb, pdu_idx);
                                          ^^^^^^
This comes from skb->data so it's marked as user controlled.

  1430          struct skb_shared_info *hssi = skb_shinfo(hskb);
  1431          struct skb_shared_info *ssi = skb_shinfo(skb);
  1432          unsigned int len = 0;
  1433  
  1434          if (pdu_cb->flags & PDUCBF_RX_HDR) {
  1435                  u8 hfrag_idx = hssi->nr_frags;
  1436  
  1437                  hpdu_cb->flags |= pdu_cb->flags;
  1438                  hpdu_cb->seq = pdu_cb->seq;
  1439                  hpdu_cb->hdr = pdu_cb->hdr;
  1440                  hpdu_cb->hlen = pdu_cb->hlen;
  1441  
  1442                  memcpy(&hssi->frags[hfrag_idx], &ssi->frags[pdu_cb->hfrag_idx],
                                                                    ^^^^^^^^^^^^^^^^^
array overflow.

  1443                         sizeof(skb_frag_t));
  1444  
  1445                  get_page(skb_frag_page(&hssi->frags[hfrag_idx]));
  1446                  hssi->nr_frags++;
  1447                  hpdu_cb->frags++;
  1448                  hpdu_cb->hfrag_idx = hfrag_idx;
  1449  
  1450                  len = hssi->frags[hfrag_idx].size;
  1451                  hskb->len += len;
  1452                  hskb->data_len += len;
  1453                  hskb->truesize += len;
  1454          }
  1455  
  1456          if (pdu_cb->flags & PDUCBF_RX_DATA) {
  1457                  u8 dfrag_idx = hssi->nr_frags, i;
  1458  
  1459                  hpdu_cb->flags |= pdu_cb->flags;
  1460                  hpdu_cb->dfrag_idx = dfrag_idx;
  1461  
  1462                  len = 0;
  1463                  for (i = 0; i < pdu_cb->nr_dfrags; dfrag_idx++, i++) {
  1464                          memcpy(&hssi->frags[dfrag_idx],
  1465                                 &ssi->frags[pdu_cb->dfrag_idx + i],
                                                   ^^^^^^^^^^^^^^^^^^^^^
and here.

  1466                                 sizeof(skb_frag_t));
  1467  
  1468                          get_page(skb_frag_page(&hssi->frags[dfrag_idx]));

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux SCSI]     [Kernel Newbies]     [Linux SCSI Target Infrastructure]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Device Mapper]

  Powered by Linux