Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752391AbdLHEe6 (ORCPT ); Thu, 7 Dec 2017 23:34:58 -0500 Received: from imap1.codethink.co.uk ([176.9.8.82]:46651 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750930AbdLHEe5 (ORCPT ); Thu, 7 Dec 2017 23:34:57 -0500 Message-ID: <1512707691.18523.239.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 33/49] net: sctp: fix array overrun read on sctp_timer_tbl From: Ben Hutchings To: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Colin Ian King , "David S. Miller" , Sasha Levin Date: Fri, 08 Dec 2017 04:34:51 +0000 In-Reply-To: <20171207124708.361475310@linuxfoundation.org> References: <20171207124703.742654162@linuxfoundation.org> <20171207124708.361475310@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1488 Lines: 48 On Thu, 2017-12-07 at 14:07 +0100, Greg Kroah-Hartman wrote: > 4.4-stable review patch.  If anyone has any objections, please let me > know. > > ------------------ > > From: Colin Ian King > > > [ Upstream commit 0e73fc9a56f22f2eec4d2b2910c649f7af67b74d ] > > The comparison on the timeout can lead to an array overrun > read on sctp_timer_tbl because of an off-by-one error. Fix > this by using < instead of <= and also compare to the array > size rather than SCTP_EVENT_TIMEOUT_MAX. > > Fixes CoverityScan CID#1397639 ("Out-of-bounds read") SCTP_EVENT_TIMEOUT_MAX is one less than the array size, so the bounds check using <= was correct. This is cleanup, not a bug fix. Ben. > Signed-off-by: Colin Ian King > Signed-off-by: David S. Miller > Signed-off-by: Sasha Levin > Signed-off-by: Greg Kroah-Hartman > --- >  net/sctp/debug.c |    2 +- >  1 file changed, 1 insertion(+), 1 deletion(-) > > --- a/net/sctp/debug.c > +++ b/net/sctp/debug.c > @@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[ >  /* Lookup timer debug name. */ >  const char *sctp_tname(const sctp_subtype_t id) >  { > - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) > + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) >   return sctp_timer_tbl[id.timeout]; >   return "unknown_timer"; >  } > > > -- Ben Hutchings Software Developer, Codethink Ltd.