diff mbox

genetlink: fix unsigned int comparison with less than zero

Message ID 20161110155758.26996-1-colin.king@canonical.com
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

Colin Ian King Nov. 10, 2016, 3:57 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

family->id is unsigned, so the less than zero check for
failure return from idr_alloc is never true and so the error exit
is never handled.  Instead, assign err and check if this is less
than zero since this is a signed integer.

Issue found with static analysis with CoverityScan, CID 1375916

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/netlink/genetlink.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Comments

Cong Wang Nov. 10, 2016, 5:11 p.m. UTC | #1 
On Thu, Nov 10, 2016 at 7:57 AM, Colin King <colin.king@canonical.com> wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> family->id is unsigned, so the less than zero check for
> failure return from idr_alloc is never true and so the error exit
> is never handled.  Instead, assign err and check if this is less
> than zero since this is a signed integer.

Why family->id can't be just signed int? For me it should be.
Johannes Berg Nov. 12, 2016, 9:37 p.m. UTC | #2 
On Thu, 2016-11-10 at 09:11 -0800, Cong Wang wrote:
> On Thu, Nov 10, 2016 at 7:57 AM, Colin King <colin.king@canonical.com
> > wrote:
> > 
> > From: Colin Ian King <colin.king@canonical.com>
> > 
> > family->id is unsigned, so the less than zero check for
> > failure return from idr_alloc is never true and so the error exit
> > is never handled.  Instead, assign err and check if this is less
> > than zero since this is a signed integer.
> 
> Why family->id can't be just signed int? For me it should be.

I suppose it could be, since family IDs are allocated in a 16-bit range
anyway. But family IDs can also never actually be negative, so having
an unsigned int in the struct makes sense too.

I tend to think this patch is fine.

johannes
Cong Wang Nov. 13, 2016, 5:25 a.m. UTC | #3 
On Sat, Nov 12, 2016 at 1:37 PM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> On Thu, 2016-11-10 at 09:11 -0800, Cong Wang wrote:
>> On Thu, Nov 10, 2016 at 7:57 AM, Colin King <colin.king@canonical.com
>> > wrote:
>> >
>> > From: Colin Ian King <colin.king@canonical.com>
>> >
>> > family->id is unsigned, so the less than zero check for
>> > failure return from idr_alloc is never true and so the error exit
>> > is never handled.  Instead, assign err and check if this is less
>> > than zero since this is a signed integer.
>>
>> Why family->id can't be just signed int? For me it should be.
>
> I suppose it could be, since family IDs are allocated in a 16-bit range
> anyway. But family IDs can also never actually be negative, so having
> an unsigned int in the struct makes sense too.

All idr_* API's accept int, rather than unsigned int. This is my point.
Johannes Berg Nov. 13, 2016, 7:31 a.m. UTC | #4 
> > I suppose it could be, since family IDs are allocated in a 16-bit
> > range
> > anyway. But family IDs can also never actually be negative, so
> > having
> > an unsigned int in the struct makes sense too.
> 
> All idr_* API's accept int, rather than unsigned int. This is my
> point.

Sure, but that's an internal implementation detail. The struct
genl_family is also an external API towards its users, and there
negative numbers make no sense whatsoever.

johannes
diff mbox

Patch

diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index f0b65fe..2ea61ba 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -360,12 +360,10 @@  int genl_register_family(struct genl_family *family)
 	} else
 		family->attrbuf = NULL;
 
-	family->id = idr_alloc(&genl_fam_idr, family,
+	family->id = err = idr_alloc(&genl_fam_idr, family,
 			       start, end + 1, GFP_KERNEL);
-	if (family->id < 0) {
-		err = family->id;
+	if (err < 0)
 		goto errout_free;
-	}
 
 	err = genl_validate_assign_mc_groups(family);
 	if (err)