out of bounds writes in net/hsr/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I found this in coverity, and I think it's a real bug..

hsr_register_frame_in does a check that dev_idx is between 0 and 2,
therefore, a dev_idx of 2 is possible when it gets to the array writes
at the end of the function.  The arrays are defined such..

 26 struct node_entry {
...
 33         unsigned long   time_in[HSR_MAX_SLAVE];
 34         bool            time_in_stale[HSR_MAX_SLAVE];

and HSR_MAX_SLAVE is...

139 enum hsr_dev_idx {
140         HSR_DEV_NONE = -1,
141         HSR_DEV_SLAVE_A = 0,
142         HSR_DEV_SLAVE_B,
143         HSR_DEV_MASTER,
144 };
145 #define HSR_MAX_SLAVE   (HSR_DEV_SLAVE_B + 1)

So we have arrays of 2 bytes, and we can try to write to the 3rd byte.

The problem seems to be that the checking in hsr_register_frame is on
HSR_MAX_DEV which is defined as..

#define HSR_MAX_DEV     (HSR_DEV_MASTER + 1)

The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't
figure out why it's there.

	Dave

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Discussion]     [TCP Instrumentation]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux WPAN Networking]     [Linux Host AP]     [Linux WPAN Networking]     [Linux Bluetooth Networking]     [Linux ATH6KL Networking]     [Linux Networking Users]     [Linux Coverity]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux IDE]     [Linux RAID]     [Linux SCSI]