Re: [PATCH 4.4 33/49] net: sctp: fix array overrun read on sctp_timer_tbl
From: Ben Hutchings
Date: Thu Dec 07 2017 - 23:35:07 EST
On Thu, 2017-12-07 at 14:07 +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.ÂÂIf anyone has any objections, please let me
> know.
>
> ------------------
>
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
>
> [ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ]
>
> The comparison on the timeout can lead to an array overrun
> read on sctp_timer_tbl because of an off-by-one error. Fix
> this by using < instead of <= and also compare to the array
> size rather than SCTP_EVENT_TIMEOUT_MAX.
>
> Fixes CoverityScan CID#1397639 ("Out-of-bounds read")
SCTP_EVENT_TIMEOUT_MAX is one less than the array size, so the bounds
check using <= was correct. This is cleanup, not a bug fix.
Ben.
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <alexander.levin@xxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> Ânet/sctp/debug.c |ÂÂÂÂ2 +-
> Â1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/net/sctp/debug.c
> +++ b/net/sctp/debug.c
> @@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[
> Â/* Lookup timer debug name. */
> Âconst char *sctp_tname(const sctp_subtype_t id)
> Â{
> - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX)
> + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl))
> Â return sctp_timer_tbl[id.timeout];
> Â return "unknown_timer";
> Â}
>
>
>
--
Ben Hutchings
Software Developer, Codethink Ltd.