| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z1dnvR1I19Baqjn2@calendula>
Date: Mon, 9 Dec 2024 22:57:17 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Karol P <karprzy7@...il.com>
Cc: kadlec@...filter.org, davem@...emloft.net, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
skhan@...uxfoundation.org
Subject: Re: [PATCH] netfilter: nfnetlink_queue: Fix redundant comparison of
unsigned value
On Mon, Dec 09, 2024 at 10:50:17PM +0100, Karol P wrote:
> On Mon, 9 Dec 2024 at 22:32, Pablo Neira Ayuso <pablo@...filter.org> wrote:
> >
> > Hi,
> >
> > On Mon, Dec 09, 2024 at 09:49:18PM +0100, Karol Przybylski wrote:
> > > The comparison seclen >= 0 in net/netfilter/nfnetlink_queue.c is redundant because seclen is an unsigned value, and such comparisons are always true.
> > >
> > > This patch removes the unnecessary comparison replacing it with just 'greater than'
> > >
> > > Discovered in coverity, CID 1602243
> > >
> > > Signed-off-by: Karol Przybylski <karprzy7@...il.com>
> > > ---
> > > net/netfilter/nfnetlink_queue.c | 6 +++---
> > > 1 file changed, 3 insertions(+), 3 deletions(-)
> > >
> > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> > > index 5110f29b2..eacb34ffb 100644
> > > --- a/net/netfilter/nfnetlink_queue.c
> > > +++ b/net/netfilter/nfnetlink_queue.c
> > > @@ -643,7 +643,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> > >
> > > if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
> > > seclen = nfqnl_get_sk_secctx(entskb, &ctx);
> > > - if (seclen >= 0)
> > > + if (seclen > 0)
> >
> > What tree are you using? I don't see this code in net-next.git
>
> linux-next, next-20241209
> Link: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/net/netfilter/nfnetlink_queue.c?h=next-20241209#n646
Could you trace from what commit ID and what tree this is coming?
Then, post the patch to the corresponding tree and add a Fixes: tag?
Possibly use:
if (seclen)
as this code was before?
Thanks.
> > > size += nla_total_size(seclen);
> > > }
> > >
> > > @@ -810,7 +810,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> > > }
> > >
> > > nlh->nlmsg_len = skb->len;
> > > - if (seclen >= 0)
> > > + if (seclen > 0)
> > > security_release_secctx(&ctx);
> > > return skb;
> > >
> > > @@ -819,7 +819,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> > > kfree_skb(skb);
> > > net_err_ratelimited("nf_queue: error creating packet message\n");
> > > nlmsg_failure:
> > > - if (seclen >= 0)
> > > + if (seclen > 0)
> > > security_release_secctx(&ctx);
> > > return NULL;
> > > }
> > > --
> > > 2.34.1
> > >
Powered by blists - more mailing lists