drbd: A few bug fixes

[PATCH 1/4] drbd: Fix out-of-bounds access

Posted by Ethan Tidmore 2 weeks, 5 days ago

The array sync_rule_names[] has 22 elements and rule is used to access
this array. The variable rule has the possibility of being index 22
because the condition (rule > ARRAY_SIZE(sync_rule_names)) could
evaluate to 22 > 22 which would be false and then rule would be used to
index sync_rule_names[] which would cause and out-of-bounds bug.

Change condition from (rule > ARRAY_SIZE(sync_rule_names)) to
(rule >= ARRAY_SIZE(sync_rule_names)).

Detected by Smatch:
drivers/block/drbd/drbd_receiver.c:280 drbd_sync_rule_str() error:
buffer overflow 'sync_rule_names' 22 <= 22

Fixes: 851f106c134a3 ("drbd: rework receiver for DRBD 9 transport and protocol")
Signed-off-by: Ethan Tidmore <ethantidmore06@gmail.com>
---
 drivers/block/drbd/drbd_receiver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
index 06d83b5ffafb..280be2ee7d7e 100644
--- a/drivers/block/drbd/drbd_receiver.c
+++ b/drivers/block/drbd/drbd_receiver.c
@@ -273,7 +273,7 @@ static void drbd_cancel_conflicting_resync_requests(struct drbd_peer_device *pee
 
 static const char *drbd_sync_rule_str(enum sync_rule rule)
 {
-	if (rule < 0 || rule > ARRAY_SIZE(sync_rule_names)) {
+	if (rule < 0 || rule >= ARRAY_SIZE(sync_rule_names)) {
 		WARN_ON(true);
 		return "?";
 	}
-- 
2.53.0

[PATCH 1/4] drbd: Fix out-of-bounds access
[PATCH 2/4] drbd: Fix variable dereference before check
[PATCH 3/4] drbd: Add missing error code in drbd_main.c
[PATCH 4/4] drbd: Add check for error pointer