From a640e97a2265ef241da0873593308907d71f1b3f Mon Sep 17 00:00:00 2001 From: Nicolas PLANEL Date: Tue, 26 Aug 2014 11:21:12 -0400 Subject: [PATCH 1/4] qdisc: avoid calling strstr() with a NULL haystack Signed-off-by: Thomas Haller --- lib/cli/qdisc/hfsc.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/lib/cli/qdisc/hfsc.c b/lib/cli/qdisc/hfsc.c index 1e6878a..6a0c960 100644 --- a/lib/cli/qdisc/hfsc.c +++ b/lib/cli/qdisc/hfsc.c @@ -81,12 +81,13 @@ hfsc_get_sc(char *optarg, struct tc_service_curve *sc) { unsigned int m1 = 0, d = 0, m2 = 0; char *tmp = strdup(optarg); - char *p = tmp, *endptr; + char *p, *endptr; + char *pp = tmp; if (!tmp) return -ENOMEM; - p = strstr(p, "m1:"); + p = strstr(pp, "m1:"); if (p) { char *q; p += 3; @@ -99,10 +100,10 @@ hfsc_get_sc(char *optarg, struct tc_service_curve *sc) m1 = strtoul(p, &endptr, 10); if (endptr == p) goto err; - p = q + 1; - } + pp = q + 1; + } - p = strstr(p, "d:"); + p = strstr(pp, "d:"); if (p) { char *q; p += 2; @@ -115,10 +116,10 @@ hfsc_get_sc(char *optarg, struct tc_service_curve *sc) d = strtoul(p, &endptr, 10); if (endptr == p) goto err; - p = q + 1; - } + pp = q + 1; + } - p = strstr(p, "m2:"); + p = strstr(pp, "m2:"); if (p) { p += 3; if (*p == 0) @@ -126,7 +127,7 @@ hfsc_get_sc(char *optarg, struct tc_service_curve *sc) m2 = strtoul(p, &endptr, 10); if (endptr == p) goto err; - } else + } else goto err; free(tmp); From 77bbf2270ce7c166c87933dc2d70e9619bf6b6e3 Mon Sep 17 00:00:00 2001 From: Nicolas PLANEL Date: Tue, 26 Aug 2014 11:31:15 -0400 Subject: [PATCH 2/4] xfrm: fix an unintialized return value on memory allocation error in xfrmnl_ae_parse() fix : err = -ENOMEM if calloc() failed Signed-off-by: Thomas Haller --- lib/xfrm/ae.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/xfrm/ae.c b/lib/xfrm/ae.c index a4db300..4fe9647 100644 --- a/lib/xfrm/ae.c +++ b/lib/xfrm/ae.c @@ -533,8 +533,10 @@ int xfrmnl_ae_parse(struct nlmsghdr *n, struct xfrmnl_ae **result) struct xfrm_replay_state_esn* esn = nla_data (tb[XFRMA_REPLAY_ESN_VAL]); uint32_t len = sizeof (struct xfrmnl_replay_state_esn) + (sizeof (uint32_t) * esn->bmp_len); - if ((ae->replay_state_esn = calloc (1, len)) == NULL) + if ((ae->replay_state_esn = calloc (1, len)) == NULL) { + err = -ENOMEM; goto errout; + } ae->replay_state_esn->oseq = esn->oseq; ae->replay_state_esn->seq = esn->seq; ae->replay_state_esn->oseq_hi = esn->oseq_hi; From 06140c3ec9f0ab952fb42f112be7143d69688984 Mon Sep 17 00:00:00 2001 From: Nicolas PLANEL Date: Tue, 26 Aug 2014 11:34:40 -0400 Subject: [PATCH 3/4] xfrm: fix xfrm_sa_msg_parser() to return the value from the callback Signed-off-by: Thomas Haller --- lib/xfrm/sa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/xfrm/sa.c b/lib/xfrm/sa.c index 9b5ea9d..693eee4 100644 --- a/lib/xfrm/sa.c +++ b/lib/xfrm/sa.c @@ -990,7 +990,7 @@ static int xfrm_sa_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who, err = pp->pp_cb((struct nl_object *) sa, pp); xfrmnl_sa_put(sa); - return 0; + return err; } /** From 592d665fbcdc46574ed1789b2a9073a5fcd5e4f3 Mon Sep 17 00:00:00 2001 From: Nicolas PLANEL Date: Tue, 26 Aug 2014 11:43:49 -0400 Subject: [PATCH 4/4] cls: check data before memcpy() it [thaller@redhat.com: I modified the condition "if (data && len)" in the original patch to just check "len > 0". Note that all call sites of meta_alloc() make sure to pass a valid data pointer with a non-zero length (anything else would be a bug). But indeed, calling memcpy with invalid src pointer is undefined behavior, even if len is zero.] Signed-off-by: Thomas Haller --- lib/route/cls/ematch/meta.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/route/cls/ematch/meta.c b/lib/route/cls/ematch/meta.c index 6249bb1..e33c405 100644 --- a/lib/route/cls/ematch/meta.c +++ b/lib/route/cls/ematch/meta.c @@ -51,7 +51,8 @@ static struct rtnl_meta_value *meta_alloc(uint8_t type, uint16_t id, value->mv_shift = shift; value->mv_len = len; - memcpy(value + 1, data, len); + if (len) + memcpy(value + 1, data, len); return value; }