| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210816092610.GA26746@kili>
Date: Mon, 16 Aug 2021 12:26:10 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: M Chetan Kumar <m.chetan.kumar@...el.com>,
Solomon Ucko <solly.ucko@...il.com>
Cc: Intel Corporation <linuxwwan@...el.com>,
Loic Poulain <loic.poulain@...aro.org>,
Sergey Ryazanov <ryazanov.s.a@...il.com>,
Johannes Berg <johannes@...solutions.net>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
security@...nel.org
Subject: [PATCH net] net: iosm: Prevent underflow in ipc_chnl_cfg_get()
The bounds check on "index" doesn't catch negative values. Using
ARRAY_SIZE() directly is more readable and more robust because it prevents
negative values for "index". Fortunately we only pass valid values to
ipc_chnl_cfg_get() so this patch does not affect runtime.
Reported-by: Solomon Ucko <solly.ucko@...il.com>
Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
---
I suspect this is bug report was based on static analysis. I had a
Smatch check that used to print a warning, but then I modified it to
only complain when the index was user controlled.
drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
index 804e6c4f2c78..016c9c3aea8e 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_chnl_cfg.c
@@ -64,10 +64,9 @@ static struct ipc_chnl_cfg modem_cfg[] = {
int ipc_chnl_cfg_get(struct ipc_chnl_cfg *chnl_cfg, int index)
{
- int array_size = ARRAY_SIZE(modem_cfg);
-
- if (index >= array_size) {
- pr_err("index: %d and array_size %d", index, array_size);
+ if (index >= ARRAY_SIZE(modem_cfg)) {
+ pr_err("index: %d and array_size %lu", index,
+ ARRAY_SIZE(modem_cfg));
return -ECHRNG;
}
--
2.20.1
Powered by blists - more mailing lists