lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Tue, 2 Dec 2014 16:40:50 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	sjur.brandeland@...ricsson.com
Cc:	netdev@...r.kernel.org,
	Jörn Engel <joern@...fs.org>
Subject: re: net-caif: add CAIF core protocol stack

Hello Sjur Braendeland,

The patch b482cd2053e3: "net-caif: add CAIF core protocol stack" from
Mar 30, 2010, leads to the following static checker warning:

	net/caif/cfctrl.c:440 cfctrl_recv()
	error: potentially using uninitialized 'tmp'.

net/caif/cfpkt_skbuff.c
   124  int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len)
   125  {
   126          struct sk_buff *skb = pkt_to_skb(pkt);
   127          u8 *from;
   128          if (unlikely(is_erronous(pkt)))
   129                  return -EPROTO;
   130  
   131          if (unlikely(len > skb->len)) {
   132                  PKT_ERROR(pkt, "read beyond end of packet\n");
   133                  return -EPROTO;
   134          }
   135  
   136          if (unlikely(len > skb_headlen(skb))) {
                             ^^^^^^^^^^^^^^^^^^^^^
Assume we can hit this condition with "len == 1".  I don't know if
that's possible.

   137                  if (unlikely(skb_linearize(skb) != 0)) {
   138                          PKT_ERROR(pkt, "linearize failed\n");
   139                          return -EPROTO;
   140                  }
   141          }
   142          from = skb_pull(skb, len);
   143          from -= len;
   144          if (data)
   145                  memcpy(data, from, len);
   146          return 0;
   147  }
   148  EXPORT_SYMBOL(cfpkt_extr_head);

net/caif/cfctrl.c
   430                          case CFCTRL_SRV_RFM:
   431                                  /* Construct a frame, convert
   432                                   * DatagramConnectionID
   433                                   * to network format long and copy it out...
   434                                   */
   435                                  cfpkt_extr_head(pkt, &tmp32, 4);
   436                                  linkparam.u.rfm.connid =
   437                                    le32_to_cpu(tmp32);
   438                                  cp = (u8 *) linkparam.u.rfm.volume;
   439                                  for (cfpkt_extr_head(pkt, &tmp, 1);
   440                                       cfpkt_more(pkt) && tmp != '\0';
                                                                ^^^^^^^^^^
cfpkt_more() would be true and "tmp" is uninitliazed so it is a forever
loop.

   441                                       cfpkt_extr_head(pkt, &tmp, 1))
   442                                          *cp++ = tmp;
   443                                  *cp = '\0';

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists