diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-01-20 13:28:59 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-01-21 17:02:52 -0800 |
commit | 08d4d217dff89707471b26348d97258016fcb8ed (patch) | |
tree | 3974c68c132de6cb099244fec1a9600d8ec71b0c | |
parent | 2fa053a0a27440ba2ada7acbc0afb11cdae243b2 (diff) | |
download | linux-next-08d4d217dff89707471b26348d97258016fcb8ed.tar.gz |
rxrpc: out of bound read in debug code
Smatch complains because we are using an untrusted index into the
rxrpc_acks[] array. It's just a read and it's only in the debug code,
but it's simple enough to add a check and fix it.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/rxrpc/ar-ack.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/net/rxrpc/ar-ack.c b/net/rxrpc/ar-ack.c index e4d9cbcff402..cd97a0ce48d8 100644 --- a/net/rxrpc/ar-ack.c +++ b/net/rxrpc/ar-ack.c @@ -21,10 +21,17 @@ static unsigned int rxrpc_ack_defer = 1; -static const char *const rxrpc_acks[] = { - "---", "REQ", "DUP", "OOS", "WIN", "MEM", "PNG", "PNR", "DLY", "IDL", - "-?-" -}; +static const char *rxrpc_acks(u8 reason) +{ + static const char *const str[] = { + "---", "REQ", "DUP", "OOS", "WIN", "MEM", "PNG", "PNR", "DLY", + "IDL", "-?-" + }; + + if (reason >= ARRAY_SIZE(str)) + reason = ARRAY_SIZE(str) - 1; + return str[reason]; +} static const s8 rxrpc_ack_priority[] = { [0] = 0, @@ -50,7 +57,7 @@ void __rxrpc_propose_ACK(struct rxrpc_call *call, u8 ack_reason, ASSERTCMP(prior, >, 0); _enter("{%d},%s,%%%x,%u", - call->debug_id, rxrpc_acks[ack_reason], ntohl(serial), + call->debug_id, rxrpc_acks(ack_reason), ntohl(serial), immediate); if (prior < rxrpc_ack_priority[call->ackr_reason]) { @@ -637,7 +644,7 @@ process_further: hard, ntohl(ack.previousPacket), ntohl(ack.serial), - rxrpc_acks[ack.reason], + rxrpc_acks(ack.reason), ack.nAcks); rxrpc_extract_ackinfo(call, skb, latest, ack.nAcks); @@ -1180,7 +1187,7 @@ send_ACK: ntohl(ack.firstPacket), ntohl(ack.previousPacket), ntohl(ack.serial), - rxrpc_acks[ack.reason], + rxrpc_acks(ack.reason), ack.nAcks); del_timer_sync(&call->ack_timer); |