1. Patchew
  2. linux
  3. View series

[PATCH] rxrpc: Initialize sockaddr_rxrpc directly

Matt Jan posted 1 patch 2 weeks, 4 days ago 
net/rxrpc/peer_event.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
[PATCH] rxrpc: Initialize sockaddr_rxrpc directly
Posted by Matt Jan 2 weeks, 4 days ago 
In rxrpc_lookup_peer_local_rcu(), removed the redundant memset call
that zeros out the sockaddr_rxrpc structure before setting its fields.
Instead, initialize the sockaddr_rxrpc structure directly in
rxrpc_input_error().

This change simplifies the code and ensures that the sockaddr_rxrpc
structure is properly zero-initialized.

Reported-by: syzbot+14c04e62ca58315571d1@syzkaller.appspotmail.com
Signed-off-by: Matt Jan <zoo868e@gmail.com>
---
 net/rxrpc/peer_event.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index 552ba84a255c..c86b432201fd 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -33,7 +33,6 @@ static struct rxrpc_peer *rxrpc_lookup_peer_local_rcu(struct rxrpc_local *local,
 
 	_enter("");
 
-	memset(srx, 0, sizeof(*srx));
 	srx->transport_type = local->srx.transport_type;
 	srx->transport_len = local->srx.transport_len;
 	srx->transport.family = local->srx.transport.family;
@@ -134,7 +133,7 @@ static void rxrpc_adjust_mtu(struct rxrpc_peer *peer, unsigned int mtu)
 void rxrpc_input_error(struct rxrpc_local *local, struct sk_buff *skb)
 {
 	struct sock_exterr_skb *serr = SKB_EXT_ERR(skb);
-	struct sockaddr_rxrpc srx;
+	struct sockaddr_rxrpc srx = {};
 	struct rxrpc_peer *peer = NULL;
 
 	_enter("L=%x", local->debug_id);
-- 
2.25.1
Re: [PATCH] rxrpc: Initialize sockaddr_rxrpc directly
Posted by David Howells 5 days, 18 hours ago 
Matt Jan <zoo868e@gmail.com> wrote:

> In rxrpc_lookup_peer_local_rcu(), removed the redundant memset call
> that zeros out the sockaddr_rxrpc structure before setting its fields.
> Instead, initialize the sockaddr_rxrpc structure directly in
> rxrpc_input_error().
> 
> This change simplifies the code and ensures that the sockaddr_rxrpc
> structure is properly zero-initialized.

How does that actually fix the issue?

All the patch does is move the initialisation of srx from
rxrpc_lookup_peer_local_rcu() into its only caller - and nothing samples the
contents of srx between.

Looking at the bug report, the history of the uninitialised location goes back
further, to a network address generated/assembled in the ipv6 stack or from
the transmission side of the rxrpc stack, possibly call->peer->srx.transport.

David

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.