diff mbox series

[next] net/tls: fix sign extension issue when left shifting u16 value

Message ID 20200630142746.516188-1-colin.king@canonical.com
State Accepted
Delegated to: David Miller
Headers show
Series [next] net/tls: fix sign extension issue when left shifting u16 value | expand

Commit Message

Colin King June 30, 2020, 2:27 p.m. UTC
From: Colin Ian King <colin.king@canonical.com>

Left shifting the u16 value promotes it to a int and then it
gets sign extended to a u64.  If len << 16 is greater than 0x7fffffff
then the upper bits get set to 1 because of the implicit sign extension.
Fix this by casting len to u64 before shifting it.

Addresses-Coverity: ("integer handling issues")
Fixes: ed9b7646b06a ("net/tls: Add asynchronous resync")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 include/net/tls.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Tariq Toukan June 30, 2020, 2:43 p.m. UTC | #1
On 6/30/2020 5:27 PM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> Left shifting the u16 value promotes it to a int and then it
> gets sign extended to a u64.  If len << 16 is greater than 0x7fffffff
> then the upper bits get set to 1 because of the implicit sign extension.
> Fix this by casting len to u64 before shifting it.
> 
> Addresses-Coverity: ("integer handling issues")
> Fixes: ed9b7646b06a ("net/tls: Add asynchronous resync")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>   include/net/tls.h | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/net/tls.h b/include/net/tls.h
> index c875c0a445a6..e5dac7e74e79 100644
> --- a/include/net/tls.h
> +++ b/include/net/tls.h
> @@ -637,7 +637,7 @@ tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len)
>   	struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
>   
>   	atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) |
> -		     (len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
> +		     ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
>   	rx_ctx->resync_async->loglen = 0;
>   }
>   
> 

Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Thanks!
David Miller June 30, 2020, 8:37 p.m. UTC | #2
From: Colin King <colin.king@canonical.com>
Date: Tue, 30 Jun 2020 15:27:46 +0100

> From: Colin Ian King <colin.king@canonical.com>
> 
> Left shifting the u16 value promotes it to a int and then it
> gets sign extended to a u64.  If len << 16 is greater than 0x7fffffff
> then the upper bits get set to 1 because of the implicit sign extension.
> Fix this by casting len to u64 before shifting it.
> 
> Addresses-Coverity: ("integer handling issues")
> Fixes: ed9b7646b06a ("net/tls: Add asynchronous resync")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>

Applied, thanks Colin.
diff mbox series

Patch

diff --git a/include/net/tls.h b/include/net/tls.h
index c875c0a445a6..e5dac7e74e79 100644
--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -637,7 +637,7 @@  tls_offload_rx_resync_async_request_start(struct sock *sk, __be32 seq, u16 len)
 	struct tls_offload_context_rx *rx_ctx = tls_offload_ctx_rx(tls_ctx);
 
 	atomic64_set(&rx_ctx->resync_async->req, ((u64)ntohl(seq) << 32) |
-		     (len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
+		     ((u64)len << 16) | RESYNC_REQ | RESYNC_REQ_ASYNC);
 	rx_ctx->resync_async->loglen = 0;
 }