[PATCH 4.9 33/35] rxrpc: Fix handling of an unsupported token type in rxrpc_read()

From: Greg Kroah-Hartman
Date: Fri Jan 22 2021 - 17:17:33 EST

Next message: Steven Rostedt: "Re: [PATCH 3/3] tracing: Remove NULL check from current in tracing_generic_entry_update()."
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 32/35] net: avoid 32 x truesize under-estimation for tiny skbs"
In reply to: Greg Kroah-Hartman: "[PATCH 4.9 32/35] net: avoid 32 x truesize under-estimation for tiny skbs"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.9 35/35] spi: cadence: cache reference clock rate during probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells <dhowells@xxxxxxxxxx>

[ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ]

Clang static analysis reports the following:

net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined
toksize = toksizes[tok++];
^ ~~~~~~~~~~~~~~~

rxrpc_read() contains two consecutive loops. The first loop calculates the
token sizes and stores the results in toksizes[] and the second one uses
the array. When there is an error in identifying the token in the first
loop, the token is skipped, no change is made to the toksizes[] array.
When the same error happens in the second loop, the token is not skipped.
This will cause the toksizes[] array to be out of step and will overrun
past the calculated sizes.

Fix this by making both loops log a message and return an error in this
case. This should only happen if a new token type is incompletely
implemented, so it should normally be impossible to trigger this.

Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()")
Reported-by: Tom Rix <trix@xxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Reviewed-by: Tom Rix <trix@xxxxxxxxxx>
Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@xxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/rxrpc/key.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -1106,7 +1106,7 @@ static long rxrpc_read(const struct key
default: /* we have a ticket we can't encode */
pr_err("Unsupported key token type (%u)\n",
token->security_index);
- continue;
+ return -ENOPKG;
}

_debug("token[%u]: toksize=%u", ntoks, toksize);
@@ -1226,7 +1226,9 @@ static long rxrpc_read(const struct key
break;

default:
- break;
+ pr_err("Unsupported key token type (%u)\n",
+ token->security_index);
+ return -ENOPKG;
}

ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==,

Next message: Steven Rostedt: "Re: [PATCH 3/3] tracing: Remove NULL check from current in tracing_generic_entry_update()."
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 32/35] net: avoid 32 x truesize under-estimation for tiny skbs"
In reply to: Greg Kroah-Hartman: "[PATCH 4.9 32/35] net: avoid 32 x truesize under-estimation for tiny skbs"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.9 35/35] spi: cadence: cache reference clock rate during probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]