lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 11 Apr 2014 08:59:57 +0000
From:	David Laight <David.Laight@...LAB.COM>
To:	'Bjorn Helgaas' <bhelgaas@...gle.com>,
	"David S. Miller" <davem@...emloft.net>
CC:	Florian Fainelli <f.fainelli@...il.com>,
	Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	James Morris <jmorris@...ei.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	Patrick McHardy <kaber@...sh.net>
Subject: RE: [PATCH] tcp: fix compiler array bounds warning on
 selective_acks[]

Bjorn Helgaas 
> With -Werror=array-bounds, gcc v4.8.x warns that in tcp_sack_remove(), a
> selective_acks[] "array subscript is above array bounds".
> 
> I don't understand how gcc figures this out, or why we don't see similar
> problems many other places, but this is the only fix I can figure out.
...
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 65cf90e063d5..65133b108236 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -4047,7 +4047,8 @@ static void tcp_sack_remove(struct tcp_sock *tp)
> 
>  			/* Zap this SACK, by moving forward any other SACKS. */
>  			for (i = this_sack+1; i < num_sacks; i++)
> -				tp->selective_acks[i-1] = tp->selective_acks[i];
> +				if (i < ARRAY_SIZE(tp->selective_acks))
> +					tp->selective_acks[i-1] = tp->selective_acks[i];
>  			num_sacks--;
>  			continue;
>  		}

You really shouldn't add that test every time around the loop.

Try changing the loop so the assignment is:
   tp->selective_acks[i] = tp->selective_acks[i + 1];

or the loop test to:
	i <= num_sacks - 1;

Or beat up the gcc developers :-)

	David

Powered by blists - more mailing lists