From: Stephen Hemminger <stephen@networkplumber.org>
Date: Tue, 9 May 2023 03:17:50 +0000 (-0700)
Subject: tc/prio: handle possible truncated kernel response
X-Git-Tag: v6.4.0~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c90d25e96b010c5837b5db9eaa57f5063f0c2aeb;p=thirdparty%2Fiproute2.git

tc/prio: handle possible truncated kernel response

Reported by -fanalyzer. If kernel did not send full qdisc
info, then uninitialized or null data could be referenced.

q_prio.c: In function ‘prio_print_opt’:
q_prio.c:105:57: warning: dereference of NULL ‘0’ [CWE-476] [-Wanalyzer-null-dereference]
  105 |         print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
      |                                                     ~~~~^~~~~~~
  ‘prio_print_opt’: event 1
    |
    |   98 |         if (opt == NULL)
    |      |            ^
    |      |            |
    |      |            (1) following ‘false’ branch (when ‘opt’ is non-NULL)...
    |
  ‘prio_print_opt’: event 2
    |
    |../include/uapi/linux/rtnetlink.h:228:38:
    |  228 | #define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
    |      |                                ~~~~~~^~~~~~~~~~
    |      |                                      |
    |      |                                      (2) ...to here
../include/libnetlink.h:236:19: note: in expansion of macro ‘RTA_PAYLOAD’
    |  236 |         ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL;       \
    |      |                   ^~~~~~~~~~~
q_prio.c:101:13: note: in expansion of macro ‘parse_rtattr_nested_compat’
    |  101 |         if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
    |      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
    |
  ‘prio_print_opt’: event 3
    |
    |../include/libnetlink.h:236:59:
    |  236 |         ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL;       \
q_prio.c:101:13: note: in expansion of macro ‘parse_rtattr_nested_compat’
    |  101 |         if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
    |      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
    |
  ‘prio_print_opt’: events 4-5
    |
    |  105 |         print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
    |      |                                                     ~~~~^~~~~~~
    |      |                                                         |
    |      |                                                         (4) ...to here
    |      |                                                         (5) dereference of NULL ‘<unknown>’
    |

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---

diff --git a/tc/q_prio.c b/tc/q_prio.c
index c8c6477e1..a3781ffe8 100644
--- a/tc/q_prio.c
+++ b/tc/q_prio.c
@@ -101,6 +101,8 @@ int prio_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt)
 	if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
 					sizeof(*qopt)))
 		return -1;
+	if (qopt == NULL)
+		return -1;	/* missing data from kernel */
 
 	print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
 	open_json_array(PRINT_ANY, "priomap");