Static analysis - possible NULL dereference in mptcp_get_sub_addrs() #231

mjmartineau · 2021-09-21T00:03:53Z

As reported on the mptcp and netdev mailing lists by @rtg-canonical:

Coverity complains of a possible NULL dereference in
mptcp_getsockopt_subflow_addrs():

861        } else if (sk->sk_family == AF_INET6) {
        3. returned_null: inet6_sk returns NULL. [show details]
        4. var_assigned: Assigning: np = NULL return value from inet6_sk.
 862                const struct ipv6_pinfo *np = inet6_sk(sk);

This may be a false positive by the static checker. The main question is whether sk_fullsock() can ever return NULL in this part of the code. For this to happen, the subflow would have to be on the msk->conn_list even though a subflow disconnect was initiated locally. This doesn't look like it's expected, but need to confirm that it's impossible.

The text was updated successfully, but these errors were encountered:

pabeni · 2021-09-30T14:55:00Z

I double checked the relevant code paths and I think !np is not a possible condition in mptcp_get_sub_addrs().

Additionally, the address returned to user-space is zeroed at the beginning of such function, and I think that silencing the static checker is cheap and good, so Tim's patch looks correct to me:

https://marc.info/?l=linux-netdev&m=163215255522383&w=2

I would simply add a WARN_ON_ONCE() to document that event is really unexpected and get notified if the above statements prove to be uncorrect.:

        if (WARN_ON_ONCE(!np))
                return;

Coverity complains of a possible NULL dereference in mptcp_getsockopt_subflow_addrs(): 861 } else if (sk->sk_family == AF_INET6) { 3. returned_null: inet6_sk returns NULL. [show details] 4. var_assigned: Assigning: np = NULL return value from inet6_sk. 862 const struct ipv6_pinfo *np = inet6_sk(sk); Fix this by checking for NULL. Closes: multipath-tcp/mptcp_net-next#231 Fixes: c11c590 ("mptcp: add MPTCP_SUBFLOW_ADDRS getsockopt support") Cc: Florian Westphal <[email protected]> Signed-off-by: Tim Gardner <[email protected]> [mjm: Added WARN_ON_ONCE() to the unexpected case] Signed-off-by: Mat Martineau <[email protected]>

Coverity complains of a possible NULL dereference in mptcp_getsockopt_subflow_addrs(): 861 } else if (sk->sk_family == AF_INET6) { 3. returned_null: inet6_sk returns NULL. [show details] 4. var_assigned: Assigning: np = NULL return value from inet6_sk. 862 const struct ipv6_pinfo *np = inet6_sk(sk); Fix this by checking for NULL. Closes: #231 Fixes: c11c590 ("mptcp: add MPTCP_SUBFLOW_ADDRS getsockopt support") Cc: Florian Westphal <[email protected]> Signed-off-by: Tim Gardner <[email protected]> [mjm: Added WARN_ON_ONCE() to the unexpected case] Signed-off-by: Mat Martineau <[email protected]>

Coverity complains of a possible NULL dereference in mptcp_getsockopt_subflow_addrs(): 861 } else if (sk->sk_family == AF_INET6) { 3. returned_null: inet6_sk returns NULL. [show details] 4. var_assigned: Assigning: np = NULL return value from inet6_sk. 862 const struct ipv6_pinfo *np = inet6_sk(sk); Fix this by checking for NULL. Closes: multipath-tcp/mptcp_net-next#231 Fixes: c11c590 ("mptcp: add MPTCP_SUBFLOW_ADDRS getsockopt support") Cc: Florian Westphal <[email protected]> Signed-off-by: Tim Gardner <[email protected]> [mjm: Added WARN_ON_ONCE() to the unexpected case] Signed-off-by: Mat Martineau <[email protected]>

Coverity complains of a possible NULL dereference in mptcp_getsockopt_subflow_addrs(): 861 } else if (sk->sk_family == AF_INET6) { 3. returned_null: inet6_sk returns NULL. [show details] 4. var_assigned: Assigning: np = NULL return value from inet6_sk. 862 const struct ipv6_pinfo *np = inet6_sk(sk); Fix this by checking for NULL. Closes: #231 Fixes: c11c590 ("mptcp: add MPTCP_SUBFLOW_ADDRS getsockopt support") Cc: Florian Westphal <[email protected]> Signed-off-by: Tim Gardner <[email protected]> [mjm: Added WARN_ON_ONCE() to the unexpected case] Signed-off-by: Mat Martineau <[email protected]>

Coverity complains of a possible NULL dereference in mptcp_getsockopt_subflow_addrs(): 861 } else if (sk->sk_family == AF_INET6) { 3. returned_null: inet6_sk returns NULL. [show details] 4. var_assigned: Assigning: np = NULL return value from inet6_sk. 862 const struct ipv6_pinfo *np = inet6_sk(sk); Fix this by checking for NULL. Closes: multipath-tcp/mptcp_net-next#231 Fixes: c11c590 ("mptcp: add MPTCP_SUBFLOW_ADDRS getsockopt support") Cc: Florian Westphal <[email protected]> Signed-off-by: Tim Gardner <[email protected]> [mjm: Added WARN_ON_ONCE() to the unexpected case] Signed-off-by: Mat Martineau <[email protected]> Signed-off-by: David S. Miller <[email protected]>

Add a big batch of test coverage to assert all aspects of the tcx link API: # ./vmtest.sh -- ./test_progs -t tc_links [...] #225 tc_links_after:OK #226 tc_links_append:OK #227 tc_links_basic:OK #228 tc_links_before:OK #229 tc_links_chain_classic:OK #230 tc_links_dev_cleanup:OK #231 tc_links_invalid:OK #232 tc_links_prepend:OK #233 tc_links_replace:OK #234 tc_links_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>

mjmartineau added the bug label Sep 21, 2021

mjmartineau self-assigned this Sep 21, 2021

matttbe closed this as completed in 2f5835b Oct 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Static analysis - possible NULL dereference in mptcp_get_sub_addrs() #231

Static analysis - possible NULL dereference in mptcp_get_sub_addrs() #231

mjmartineau commented Sep 21, 2021

pabeni commented Sep 30, 2021

Static analysis - possible NULL dereference in mptcp_get_sub_addrs() #231

Static analysis - possible NULL dereference in mptcp_get_sub_addrs() #231

Comments

mjmartineau commented Sep 21, 2021

pabeni commented Sep 30, 2021