Re: [PATCH] rxrpc: fix handling of an unsupported token type in rxrpc_read()

From: David Howells
Date: Wed Jan 06 2021 - 11:58:41 EST

How about this?

commit 5d370a9db65a6fae82f09a009430ae40c564b0ef
Author: David Howells <dhowells@xxxxxxxxxx>
Date: Wed Jan 6 16:21:40 2021 +0000

rxrpc: Fix handling of an unsupported token type in rxrpc_read()

Clang static analysis reports the following:

net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
toksize = toksizes[tok++];
^ ~~~~~~~~~~~~~~~

rxrpc_read() contains two consecutive loops. The first loop calculates the
token sizes and stores the results in toksizes[] and the second one uses
the array. When there is an error in identifying the token in the first
loop, the token is skipped, no change is made to the toksizes[] array.
When the same error happens in the second loop, the token is not skipped.
This will cause the toksizes[] array to be out of step and will overrun
past the calculated sizes.

Fix the second loop so that it doesn't encode the size and type of an
unsupported token, but rather just ignore it as does the first loop.

Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
Reported-by: Tom Rix <trix@xxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>

diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c
index 9631aa8543b5..c8e298c8d314 100644
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -655,12 +655,12 @@ static long rxrpc_read(const struct key *key,
tok = 0;
for (token = key->[0]; token; token = token->next) {
toksize = toksizes[tok++];
- ENCODE(toksize);
oldxdr = xdr;
- ENCODE(token->security_index);

switch (token->security_index) {
+ ENCODE(toksize);
+ ENCODE(token->security_index);
ENCODE_BYTES(8, token->kad->session_key);