Re: [PATCH 4.4 33/49] net: sctp: fix array overrun read on sctp_timer_tbl

From: Greg Kroah-Hartman
Date: Sat Dec 09 2017 - 12:02:35 EST


On Fri, Dec 08, 2017 at 04:34:51AM +0000, Ben Hutchings wrote:
> On Thu, 2017-12-07 at 14:07 +0100, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me
> > know.
> >
> > ------------------
> >
> > From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> >
> >
> > [ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ]
> >
> > The comparison on the timeout can lead to an array overrun
> > read on sctp_timer_tbl because of an off-by-one error. Fix
> > this by using < instead of <= and also compare to the array
> > size rather than SCTP_EVENT_TIMEOUT_MAX.
> >
> > Fixes CoverityScan CID#1397639 ("Out-of-bounds read")
>
> SCTP_EVENT_TIMEOUT_MAX is one less than the array size, so the bounds
> check using <= was correct. This is cleanup, not a bug fix.

Ah, I was wondering why no one caught this earlier for submission.
Coverity isn't the smartest tool at times :(

thanks,

greg k-h