Commit 08d4d217dff89707471b26348d97258016fcb8ed
Committed by
David S. Miller
1 parent
2fa053a0a2
Exists in
master
and in
16 other branches
rxrpc: out of bound read in debug code
Smatch complains because we are using an untrusted index into the rxrpc_acks[] array. It's just a read and it's only in the debug code, but it's simple enough to add a check and fix it. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 14 additions and 7 deletions Side-by-side Diff
net/rxrpc/ar-ack.c
... | ... | @@ -21,11 +21,18 @@ |
21 | 21 | |
22 | 22 | static unsigned int rxrpc_ack_defer = 1; |
23 | 23 | |
24 | -static const char *const rxrpc_acks[] = { | |
25 | - "---", "REQ", "DUP", "OOS", "WIN", "MEM", "PNG", "PNR", "DLY", "IDL", | |
26 | - "-?-" | |
27 | -}; | |
24 | +static const char *rxrpc_acks(u8 reason) | |
25 | +{ | |
26 | + static const char *const str[] = { | |
27 | + "---", "REQ", "DUP", "OOS", "WIN", "MEM", "PNG", "PNR", "DLY", | |
28 | + "IDL", "-?-" | |
29 | + }; | |
28 | 30 | |
31 | + if (reason >= ARRAY_SIZE(str)) | |
32 | + reason = ARRAY_SIZE(str) - 1; | |
33 | + return str[reason]; | |
34 | +} | |
35 | + | |
29 | 36 | static const s8 rxrpc_ack_priority[] = { |
30 | 37 | [0] = 0, |
31 | 38 | [RXRPC_ACK_DELAY] = 1, |
... | ... | @@ -50,7 +57,7 @@ |
50 | 57 | ASSERTCMP(prior, >, 0); |
51 | 58 | |
52 | 59 | _enter("{%d},%s,%%%x,%u", |
53 | - call->debug_id, rxrpc_acks[ack_reason], ntohl(serial), | |
60 | + call->debug_id, rxrpc_acks(ack_reason), ntohl(serial), | |
54 | 61 | immediate); |
55 | 62 | |
56 | 63 | if (prior < rxrpc_ack_priority[call->ackr_reason]) { |
... | ... | @@ -637,7 +644,7 @@ |
637 | 644 | hard, |
638 | 645 | ntohl(ack.previousPacket), |
639 | 646 | ntohl(ack.serial), |
640 | - rxrpc_acks[ack.reason], | |
647 | + rxrpc_acks(ack.reason), | |
641 | 648 | ack.nAcks); |
642 | 649 | |
643 | 650 | rxrpc_extract_ackinfo(call, skb, latest, ack.nAcks); |
... | ... | @@ -1180,7 +1187,7 @@ |
1180 | 1187 | ntohl(ack.firstPacket), |
1181 | 1188 | ntohl(ack.previousPacket), |
1182 | 1189 | ntohl(ack.serial), |
1183 | - rxrpc_acks[ack.reason], | |
1190 | + rxrpc_acks(ack.reason), | |
1184 | 1191 | ack.nAcks); |
1185 | 1192 | |
1186 | 1193 | del_timer_sync(&call->ack_timer); |