projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f4195d1)
tipc: fix error handling of expanding buffer headroom
authorYing Xue <ying.xue@windriver.com>
Tue, 24 Nov 2015 05:57:57 +0000 (13:57 +0800)
committerDavid S. Miller <davem@davemloft.net>
Tue, 24 Nov 2015 16:26:19 +0000 (11:26 -0500)
Coverity says:

*** CID 1338065:  Error handling issues  (CHECKED_RETURN)
/net/tipc/udp_media.c: 162 in tipc_udp_send_msg()
156      struct udp_media_addr *dst = (struct udp_media_addr *)&dest->value;
157      struct udp_media_addr *src = (struct udp_media_addr *)&b->addr.value;
158      struct sk_buff *clone;
159      struct rtable *rt;
160
161      if (skb_headroom(skb) < UDP_MIN_HEADROOM)
>>>     CID 1338065:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "pskb_expand_head" without checking return value (as is done elsewhere 51 out of 56 times).
162      pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
163
164      clone = skb_clone(skb, GFP_ATOMIC);
165      skb_set_inner_protocol(clone, htons(ETH_P_TIPC));
166      ub = rcu_dereference_rtnl(b->media_ptr);
167      if (!ub) {

When expanding buffer headroom over udp tunnel with pskb_expand_head(),
it's unfortunate that we don't check its return value. As a result, if
the function returns an error code due to the lack of memory, it may
cause unpredictable consequence as we unconditionally consider that
it's always successful.

Fixes: e53567948f82 ("tipc: conditionally expand buffer headroom over udp tunnel")
Reported-by: <scan-admin@coverity.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/udp_media.c patch | blob | blame | history

diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index ad2719ad4c1baf38cd8e31b244fe703382da002a..70c03271b798f429d8d6faa5142fb2654753d342 100644 (file)
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -158,8 +158,11 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
        struct udp_media_addr *src = (struct udp_media_addr *)&b->addr.value;
        struct rtable *rt;
 
-       if (skb_headroom(skb) < UDP_MIN_HEADROOM)
-               pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+       if (skb_headroom(skb) < UDP_MIN_HEADROOM) {
+               err = pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+               if (err)
+                       goto tx_error;
+       }
 
        skb_set_inner_protocol(skb, htons(ETH_P_TIPC));
        ub = rcu_dereference_rtnl(b->media_ptr);