[{"id":1768249,"web_url":"http://patchwork.ozlabs.org/comment/1768249/","msgid":"<20170913.170019.543516362575770735.davem@davemloft.net>","list_archive_url":null,"date":"2017-09-14T00:00:19","subject":"Re: [PATCH v2 net] sctp: potential read out of bounds in\n\tsctp_ulpevent_type_enabled()","submitter":{"id":15,"url":"http://patchwork.ozlabs.org/api/people/15/","name":"David Miller","email":"davem@davemloft.net"},"content":"From: Dan Carpenter <dan.carpenter@oracle.com>\nDate: Thu, 14 Sep 2017 02:00:54 +0300\n\n> This code causes a static checker warning because Smatch doesn't trust\n> anything that comes from skb->data.  I've reviewed this code and I do\n> think skb->data can be controlled by the user here.\n> \n> The sctp_event_subscribe struct has 13 __u8 fields and we want to see\n> if ours is non-zero.  sn_type can be any value in the 0-USHRT_MAX range.\n> We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read\n> either before the start of the struct or after the end.\n> \n> This is a very old bug and it's surprising that it would go undetected\n> for so long but my theory is that it just doesn't have a big impact so\n> it would be hard to notice.\n> \n> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>\n> ---\n> v2:  Use reverse-christmas-tree local variable ordering.\n\nApplied and queued up for -stable, thanks.","headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xszFD4BShz9sRm\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 14 Sep 2017 10:00:32 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751365AbdINAA3 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 13 Sep 2017 20:00:29 -0400","from shards.monkeyblade.net ([184.105.139.130]:60506 \"EHLO\n\tshards.monkeyblade.net\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751173AbdINAA0 (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 13 Sep 2017 20:00:26 -0400","from localhost (74-93-104-98-Washington.hfc.comcastbusiness.net\n\t[74.93.104.98]) (using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(Client did not present a certificate)\n\t(Authenticated sender: davem-davemloft)\n\tby shards.monkeyblade.net (Postfix) with ESMTPSA id 129AF10257776;\n\tWed, 13 Sep 2017 17:00:20 -0700 (PDT)"],"Date":"Wed, 13 Sep 2017 17:00:19 -0700 (PDT)","Message-Id":"<20170913.170019.543516362575770735.davem@davemloft.net>","To":"dan.carpenter@oracle.com","Cc":"vyasevich@gmail.com, nhorman@tuxdriver.com,\n\tlinux-sctp@vger.kernel.org, netdev@vger.kernel.org,\n\tkernel-janitors@vger.kernel.org","Subject":"Re: [PATCH v2 net] sctp: potential read out of bounds in\n\tsctp_ulpevent_type_enabled()","From":"David Miller <davem@davemloft.net>","In-Reply-To":"<20170913230054.fmtidvfi2swvy2mm@mwanda>","References":"<20170913.092522.934509429497822082.davem@davemloft.net>\n\t<20170913230054.fmtidvfi2swvy2mm@mwanda>","X-Mailer":"Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)","Mime-Version":"1.0","Content-Type":"Text/Plain; charset=us-ascii","Content-Transfer-Encoding":"7bit","X-Greylist":"Sender succeeded SMTP AUTH, not delayed by\n\tmilter-greylist-4.5.12 (shards.monkeyblade.net\n\t[149.20.54.216]); Wed, 13 Sep 2017 17:00:20 -0700 (PDT)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"}}]