From patchwork Thu Aug 24 22:58:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 110964 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp121257qge; Thu, 24 Aug 2017 15:59:46 -0700 (PDT) X-Received: by 10.98.86.2 with SMTP id k2mr7911471pfb.143.1503615586276; Thu, 24 Aug 2017 15:59:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503615586; cv=none; d=google.com; s=arc-20160816; b=POcDzJoqJtgFZ8/ETZgNRSC+2z3E2MYM3aAstao6Ecr2ah0TM3NlOKLQOcTV0puWio /ht+Dw+dshw2LQNz9zUe9l7Sk8iGoA2pQHkm0YV/nCZqkzchXbyuJmSL5iuUacZXiQMo plBRs95OxWZjGLP9o3MLEroeOXPYRG08DtTQQ37HvrKpJXt48L9tK45uaQQSRpPsWM2x 7IuwUgtAFMiiZcKCLi0peGYQ13VJncpi7+vXJllQ4XKPxfY8r2HIauRRoRWHgWQ46HfB STFTlrNaxioOWLDA8kgAJJktfCXyFTQMHF8Ye1LtgYorVqFF53rj+L1f3njhvKcvl1Oq tFDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=lDUpO3e1CqyKjE0+2sXEokaq5ME+bBTGE90z1V4VpIg=; b=HKABdfJ5PnyVbYX1iOs1sDCrSSaW+uKNQj+rxQsfFI8BuFpmcZpYZmP1FS4iBNxnGU kq5V4NkTjlQVc8qoPVU7Qt2TyPqmFBYH3U6YL2NCgT0VIcIlBWCDP3MgoqOCtQdY+j6f +i9u3pnOPFadMJmVI7DWKbNCw8Umcy+F4pDxOpjVI0YyXLE6RgcAR4tIm2YnIRUnMJ0y N0zfPyjDgIaaKS0Xh+Pd4wXby6OFhYD2ZhfM4+ZZBqk/Utbx/5nTayyTknltf/t2t0mk uqTSDggde/Dz282TxcAn0y8ni01LQuGu1adhO4HeoUK13tESzjwv2DHnymtWMXZxAYI2 oHsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i87si3531982pfd.457.2017.08.24.15.59.45; Thu, 24 Aug 2017 15:59:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754081AbdHXW7n (ORCPT + 26 others); Thu, 24 Aug 2017 18:59:43 -0400 Received: from mout.kundenserver.de ([217.72.192.73]:56242 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753990AbdHXW7l (ORCPT ); Thu, 24 Aug 2017 18:59:41 -0400 Received: from wuerfel.lan ([95.208.190.237]) by mrelayeu.kundenserver.de (mreue102 [212.227.15.145]) with ESMTPA (Nemesis) id 0Mb8iR-1dzVoT19wZ-00KdAM; Fri, 25 Aug 2017 00:59:34 +0200 From: Arnd Bergmann To: Karsten Keil , "David S. Miller" Cc: Arnd Bergmann , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] isdn: hisax: fix buffer overflow check Date: Fri, 25 Aug 2017 00:58:33 +0200 Message-Id: <20170824225931.1602326-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:LTt7DjOfmNGakEKkNrd/8bwZkGDWtEZ2HFsToEvCrMhKT/UUJ9k njXodIMYex4WYHlRrCLGFuCERIeyvhlbiIF9XBpWb9w8krNIWhOLu7V6ZkhH7yWfKtg5Cdb Tpylqt2as2HdgJOEZL1qUgnI8wW4vQCvIq2DaeKCI/IvKNZrJcFaDZxJk/nYYopuzkQ1n5F LdWiPbfG5TLR4sj3FaRew== X-UI-Out-Filterresults: notjunk:1; V01:K0:4/6IHZWzF1A=:st18pAKNQrUSMoJ9RzUksj nG0CdFG9uOx51h7i1bRZqE+1a+f/X+Jl7g02KDbBht1kI8/NpMf6Dy4EzAiLUXGsNh6FS6M7P 60IIhR9Gy1HGswKuoNQh+/vs1uuEusMRPRFtMZpuCyPnGZhMKQ48VSSPy8BCgLm6EGz5HEpxA Lv46XUB/D2HE3Jdxj8YvqTwc+uBELhtxZtCKi8mvytvWt7Ax39nLJ6MEMk71Rq95hwmYw6rcS 75SvRbvZcBhbKgb+EcdifSJ/ugrRjyvfQBwoPvuwBYESY/IlSCzYXuF6nst0HrG8lURyDr6Dm uk3Bt9BL4IS6Iz8gTM82npJrpI4u+CYMV89XCT3YCDo5txqge5bv4J6sFs84W//9FSKhGAp2f F0tmW/qmQznaFbQXlr2of6eNZUSdjI/ZRTU0qmuXUoAyLTCh+Y5h+2lYiR08n915uWPkQUSfM l/ytfNyqAkVgQQ20nEpT/LQh9l9F0wcIL3ldsMItQWt4L4dIwYtLe62tfGpMfsY+jnG9zwHzy v00cc6BklRKnh4ajqn+sLVg3+ToDZviKIC88OyVeNhUaOf35ZBQ7vyJpRkIC+Bubte9vlQB0u 7utPU9WnKWm4wCPeOiwC7QQxuZ57Hktk3p8KMWJXtGkLYvp4Dj3DdxFgO8PASoNj6Y+94CmgJ ieJsGJN/kK7zeYg8FCNDdqDXMobFNlCFjJbGvrnudBLz1U9Fmam6LPFJsjcXjZN77+4lnJwte BvTxNCPxbjcY0SkyPULC7FZGSGrsaAMcFpP82Q== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org gcc-8 warns about a corner case that can overflow a memcpy buffer when a length variable is negative. While the code checks for an overly large value, it does not check for a negative length that would get turned into a large positive number: In function 'memcpy', inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2, inlined from 'l3dss1_cmd_global' at drivers/isdn/hisax/l3dss1.c:2219:4: include/linux/string.h:348:9: error: '__builtin_memcpy' reading 266 or more bytes from a region of size 265 [-Werror=stringop-overflow=] In function 'memcpy', inlined from 'skb_put_data' at include/linux/skbuff.h:2042:2, inlined from 'l3ni1_cmd_global' at drivers/isdn/hisax/l3ni1.c:2079:4: include/linux/string.h:348:9: error: '__builtin_memcpy' reading between 266 and 4294967295 bytes from a region of size 265 [-Werror=stringop-overflow=] It's not clear to me whether the warning should be here, or if this is another case of an optimization step in gcc causing a warning about something that would otherwise be silently ignored. Either way, making the length 'unsigned int' instead ensures that no overflow can happen here, and avoids the warning. The same code exists in two files, so I'm patching both the same way. Signed-off-by: Arnd Bergmann --- drivers/isdn/hisax/l3dss1.c | 3 ++- drivers/isdn/hisax/l3ni1.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) -- 2.9.0 diff --git a/drivers/isdn/hisax/l3dss1.c b/drivers/isdn/hisax/l3dss1.c index 18a3484b1f7e..85cef7a2e709 100644 --- a/drivers/isdn/hisax/l3dss1.c +++ b/drivers/isdn/hisax/l3dss1.c @@ -2168,7 +2168,8 @@ static int l3dss1_cmd_global(struct PStack *st, isdn_ctrl *ic) { u_char id; u_char temp[265]; u_char *p = temp; - int i, l, proc_len; + int i; + unsigned int l, proc_len; struct sk_buff *skb; struct l3_process *pc = NULL; diff --git a/drivers/isdn/hisax/l3ni1.c b/drivers/isdn/hisax/l3ni1.c index ea311e7df48e..99e0ba5d49a1 100644 --- a/drivers/isdn/hisax/l3ni1.c +++ b/drivers/isdn/hisax/l3ni1.c @@ -2024,7 +2024,8 @@ static int l3ni1_cmd_global(struct PStack *st, isdn_ctrl *ic) { u_char id; u_char temp[265]; u_char *p = temp; - int i, l, proc_len; + int i; + unsigned int l, proc_len; struct sk_buff *skb; struct l3_process *pc = NULL;