| From foo@baz Fri Jan 22 01:21:57 PM CET 2021 |
| From: David Howells <dhowells@redhat.com> |
| Date: Tue, 12 Jan 2021 15:23:51 +0000 |
| Subject: rxrpc: Fix handling of an unsupported token type in rxrpc_read() |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| [ Upstream commit d52e419ac8b50c8bef41b398ed13528e75d7ad48 ] |
| |
| Clang static analysis reports the following: |
| |
| net/rxrpc/key.c:657:11: warning: Assigned value is garbage or undefined |
| toksize = toksizes[tok++]; |
| ^ ~~~~~~~~~~~~~~~ |
| |
| rxrpc_read() contains two consecutive loops. The first loop calculates the |
| token sizes and stores the results in toksizes[] and the second one uses |
| the array. When there is an error in identifying the token in the first |
| loop, the token is skipped, no change is made to the toksizes[] array. |
| When the same error happens in the second loop, the token is not skipped. |
| This will cause the toksizes[] array to be out of step and will overrun |
| past the calculated sizes. |
| |
| Fix this by making both loops log a message and return an error in this |
| case. This should only happen if a new token type is incompletely |
| implemented, so it should normally be impossible to trigger this. |
| |
| Fixes: 9a059cd5ca7d ("rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read()") |
| Reported-by: Tom Rix <trix@redhat.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Reviewed-by: Tom Rix <trix@redhat.com> |
| Link: https://lore.kernel.org/r/161046503122.2445787.16714129930607546635.stgit@warthog.procyon.org.uk |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/rxrpc/key.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/rxrpc/key.c |
| +++ b/net/rxrpc/key.c |
| @@ -1112,7 +1112,7 @@ static long rxrpc_read(const struct key |
| default: /* we have a ticket we can't encode */ |
| pr_err("Unsupported key token type (%u)\n", |
| token->security_index); |
| - continue; |
| + return -ENOPKG; |
| } |
| |
| _debug("token[%u]: toksize=%u", ntoks, toksize); |
| @@ -1227,7 +1227,9 @@ static long rxrpc_read(const struct key |
| break; |
| |
| default: |
| - break; |
| + pr_err("Unsupported key token type (%u)\n", |
| + token->security_index); |
| + return -ENOPKG; |
| } |
| |
| ASSERTCMP((unsigned long)xdr - (unsigned long)oldxdr, ==, |