lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 11 Mar 2018 17:12:09 -0500
From:   "Gustavo A. R. Silva" <gustavo@...eddedor.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
        Florian Westphal <fw@...len.de>,
        "David S. Miller" <davem@...emloft.net>,
        netfilter-devel@...r.kernel.org, coreteam@...filter.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        "Gustavo A. R. Silva" <garsilva@...eddedor.com>
Subject: Re: [RFC] netfilter: cttimeout: remove VLA in
 ctnl_timeout_parse_policy

Hi Pablo,

On 03/11/2018 05:04 PM, Pablo Neira Ayuso wrote:
> On Tue, Mar 06, 2018 at 12:47:55PM -0600, Gustavo A. R. Silva wrote:
>> In preparation to enabling -Wvla, remove VLA and replace it
>> with dynamic memory allocation.
> 
> Looks good but...
> 
>> Signed-off-by: Gustavo A. R. Silva <gustavo@...eddedor.com>
>> ---
>>   net/netfilter/nfnetlink_cttimeout.c | 12 ++++++++++--
>>   1 file changed, 10 insertions(+), 2 deletions(-)
>>
>> diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
>> index 95b0470..a2f7d92 100644
>> --- a/net/netfilter/nfnetlink_cttimeout.c
>> +++ b/net/netfilter/nfnetlink_cttimeout.c
>> @@ -52,18 +52,26 @@ ctnl_timeout_parse_policy(void *timeouts,
>>   			  struct net *net, const struct nlattr *attr)
>>   {
>>   	int ret = 0;
>> +	struct nlattr **tb = NULL;
> 
> I think we don't need to initialize this, right?
> 

We actually do have to initialized it because in the unlikely case that 
the code block inside the 'if' below is not executed, then we will end 
up freeing an uninitialized pointer.

Thanks
--
Gustavo

>>   
>>   	if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) {
>> -		struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1];
>> +		tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb),
>> +			     GFP_KERNEL);
>> +
>> +		if (!tb)
>> +			return -ENOMEM;
>>   
>>   		ret = nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
>>   				       attr, l4proto->ctnl_timeout.nla_policy,
>>   				       NULL);
>>   		if (ret < 0)
>> -			return ret;
>> +			goto err;
>>   
>>   		ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts);
>>   	}
>> +
>> +err:
>> +	kfree(tb);
>>   	return ret;
>>   }
>>   
>> -- 
>> 2.7.4
>>


Powered by blists - more mailing lists