Message ID | 20190325124050.1285877-1-arnd@arndb.de |
---|---|
State | Superseded |
Headers | show |
Series | [v2] selinux: avoid uninitialized variable warning | expand |
On Mon, Mar 25, 2019 at 8:40 AM Arnd Bergmann <arnd@arndb.de> wrote: > clang correctly points out a code path that would lead > to an uninitialized variable use: > > security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false > [-Werror,-Wsometimes-uninitialized] > if (ip_hdr(skb)->version == 4) { > ^~~~~~~~~~~~~~~~~~~~~~~~~ > security/selinux/netlabel.c:322:40: note: uninitialized use occurs here > rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); > ^~~~ > security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true > if (ip_hdr(skb)->version == 4) { > ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning > struct sockaddr *addr; > ^ > = NULL > > This is probably harmless since we should not see ipv6 packets > of CONFIG_IPV6 is disabled, but it's better to rearrange the code > so this cannot happen. > > Link: https://lore.kernel.org/patchwork/patch/1053663/ > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > v2: revise after discussing with Paul Moore > --- > security/selinux/netlabel.c | 14 +++++--------- > 1 file changed, 5 insertions(+), 9 deletions(-) > > diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c > index 186e727b737b..fb4351733450 100644 > --- a/security/selinux/netlabel.c > +++ b/security/selinux/netlabel.c > @@ -288,11 +288,8 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, > int rc; > struct netlbl_lsm_secattr secattr; > struct sk_security_struct *sksec = ep->base.sk->sk_security; > - struct sockaddr *addr; > struct sockaddr_in addr4; > -#if IS_ENABLED(CONFIG_IPV6) > struct sockaddr_in6 addr6; > -#endif > > if (ep->base.sk->sk_family != PF_INET && > ep->base.sk->sk_family != PF_INET6) > @@ -310,16 +307,15 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, > if (ip_hdr(skb)->version == 4) { > addr4.sin_family = AF_INET; > addr4.sin_addr.s_addr = ip_hdr(skb)->saddr; > - addr = (struct sockaddr *)&addr4; > -#if IS_ENABLED(CONFIG_IPV6) > - } else { > + rc = netlbl_conn_setattr(ep->base.sk, (void*)&addr4, &secattr); > + } else if (IS_ENABLED(CONFIG_IPV6)) { I thought we had talked about using an else-if statement like the one below, is there any reason why you changed it to just the IS_ENABLED() check? I liked the idea of explicitly checking the IP header version number before treating the packet as an IPv6 packet. else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) > addr6.sin6_family = AF_INET6; > addr6.sin6_addr = ipv6_hdr(skb)->saddr; > - addr = (struct sockaddr *)&addr6; > -#endif > + rc = netlbl_conn_setattr(ep->base.sk, (void*)&addr6, &secattr); > + } else { > + rc = -EAFNOSUPPORT; > } > > - rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); > if (rc == 0) > sksec->nlbl_state = NLBL_LABELED; > > -- > 2.20.0 > -- paul moore www.paul-moore.com
On Mon, Mar 25, 2019 at 3:15 PM Paul Moore <paul@paul-moore.com> wrote: > On Mon, Mar 25, 2019 at 8:40 AM Arnd Bergmann <arnd@arndb.de> wrote: > > clang correctly points out a code path that would lead > > -#if IS_ENABLED(CONFIG_IPV6) > > - } else { > > + rc = netlbl_conn_setattr(ep->base.sk, (void*)&addr4, &secattr); > > + } else if (IS_ENABLED(CONFIG_IPV6)) { > > I thought we had talked about using an else-if statement like the one > below, is there any reason why you changed it to just the IS_ENABLED() > check? I liked the idea of explicitly checking the IP header version > number before treating the packet as an IPv6 packet. > > else if (IS_ENABLED(CONFIG_IPV6) && ip_hdr(skb)->version == 6) Ah of course, sorry for missing that important part when I revisited the patch. I've sent a v3 now. Arnd
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c index 186e727b737b..fb4351733450 100644 --- a/security/selinux/netlabel.c +++ b/security/selinux/netlabel.c @@ -288,11 +288,8 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, int rc; struct netlbl_lsm_secattr secattr; struct sk_security_struct *sksec = ep->base.sk->sk_security; - struct sockaddr *addr; struct sockaddr_in addr4; -#if IS_ENABLED(CONFIG_IPV6) struct sockaddr_in6 addr6; -#endif if (ep->base.sk->sk_family != PF_INET && ep->base.sk->sk_family != PF_INET6) @@ -310,16 +307,15 @@ int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep, if (ip_hdr(skb)->version == 4) { addr4.sin_family = AF_INET; addr4.sin_addr.s_addr = ip_hdr(skb)->saddr; - addr = (struct sockaddr *)&addr4; -#if IS_ENABLED(CONFIG_IPV6) - } else { + rc = netlbl_conn_setattr(ep->base.sk, (void*)&addr4, &secattr); + } else if (IS_ENABLED(CONFIG_IPV6)) { addr6.sin6_family = AF_INET6; addr6.sin6_addr = ipv6_hdr(skb)->saddr; - addr = (struct sockaddr *)&addr6; -#endif + rc = netlbl_conn_setattr(ep->base.sk, (void*)&addr6, &secattr); + } else { + rc = -EAFNOSUPPORT; } - rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); if (rc == 0) sksec->nlbl_state = NLBL_LABELED;
clang correctly points out a code path that would lead to an uninitialized variable use: security/selinux/netlabel.c:310:6: error: variable 'addr' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] if (ip_hdr(skb)->version == 4) { ^~~~~~~~~~~~~~~~~~~~~~~~~ security/selinux/netlabel.c:322:40: note: uninitialized use occurs here rc = netlbl_conn_setattr(ep->base.sk, addr, &secattr); ^~~~ security/selinux/netlabel.c:310:2: note: remove the 'if' if its condition is always true if (ip_hdr(skb)->version == 4) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ security/selinux/netlabel.c:291:23: note: initialize the variable 'addr' to silence this warning struct sockaddr *addr; ^ = NULL This is probably harmless since we should not see ipv6 packets of CONFIG_IPV6 is disabled, but it's better to rearrange the code so this cannot happen. Link: https://lore.kernel.org/patchwork/patch/1053663/ Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- v2: revise after discussing with Paul Moore --- security/selinux/netlabel.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) -- 2.20.0