lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 Nov 2015 11:27:21 -0500 (EST) From: David Miller <davem@...emloft.net> To: ying.xue@...driver.com Cc: jon.maloy@...csson.com, scan-admin@...erity.com, stephen@...workplumber.org, netdev@...r.kernel.org, tipc-discussion@...ts.sourceforge.net Subject: Re: [PATCH v2] tipc: fix error handling of expanding buffer headroom From: Ying Xue <ying.xue@...driver.com> Date: Tue, 24 Nov 2015 13:57:57 +0800 > Coverity says: > > *** CID 1338065: Error handling issues (CHECKED_RETURN) > /net/tipc/udp_media.c: 162 in tipc_udp_send_msg() > 156 struct udp_media_addr *dst = (struct udp_media_addr *)&dest->value; > 157 struct udp_media_addr *src = (struct udp_media_addr *)&b->addr.value; > 158 struct sk_buff *clone; > 159 struct rtable *rt; > 160 > 161 if (skb_headroom(skb) < UDP_MIN_HEADROOM) >>>> CID 1338065: Error handling issues (CHECKED_RETURN) >>>> Calling "pskb_expand_head" without checking return value (as is done elsewhere 51 out of 56 times). > 162 pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC); > 163 > 164 clone = skb_clone(skb, GFP_ATOMIC); > 165 skb_set_inner_protocol(clone, htons(ETH_P_TIPC)); > 166 ub = rcu_dereference_rtnl(b->media_ptr); > 167 if (!ub) { > > When expanding buffer headroom over udp tunnel with pskb_expand_head(), > it's unfortunate that we don't check its return value. As a result, if > the function returns an error code due to the lack of memory, it may > cause unpredictable consequence as we unconditionally consider that > it's always successful. > > Fixes: e53567948f82 ("tipc: conditionally expand buffer headroom over udp tunnel") > Reported-by: <scan-admin@...erity.com> > Cc: Stephen Hemminger <stephen@...workplumber.org> > Signed-off-by: Ying Xue <ying.xue@...driver.com> Applied and queued up for -stable. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists