[iproute2,11/11] tc/prio: handle possible truncated kernel response

Commit Message

Stephen Hemminger May 9, 2023, 9:21 p.m. UTC

Reported by -fanalyzer. If kernel did not send full qdisc
info, then uninitialized or null data could be referenced.

q_prio.c: In function ‘prio_print_opt’:
q_prio.c:105:57: warning: dereference of NULL ‘0’ [CWE-476] [-Wanalyzer-null-dereference]
  105 |         print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
      |                                                     ~~~~^~~~~~~
  ‘prio_print_opt’: event 1
    |
    |   98 |         if (opt == NULL)
    |      |            ^
    |      |            |
    |      |            (1) following ‘false’ branch (when ‘opt’ is non-NULL)...
    |
  ‘prio_print_opt’: event 2
    |
    |../include/uapi/linux/rtnetlink.h:228:38:
    |  228 | #define RTA_PAYLOAD(rta) ((int)((rta)->rta_len) - RTA_LENGTH(0))
    |      |                                ~~~~~~^~~~~~~~~~
    |      |                                      |
    |      |                                      (2) ...to here
../include/libnetlink.h:236:19: note: in expansion of macro ‘RTA_PAYLOAD’
    |  236 |         ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL;       \
    |      |                   ^~~~~~~~~~~
q_prio.c:101:13: note: in expansion of macro ‘parse_rtattr_nested_compat’
    |  101 |         if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
    |      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
    |
  ‘prio_print_opt’: event 3
    |
    |../include/libnetlink.h:236:59:
    |  236 |         ({ data = RTA_PAYLOAD(rta) >= len ? RTA_DATA(rta) : NULL;       \
q_prio.c:101:13: note: in expansion of macro ‘parse_rtattr_nested_compat’
    |  101 |         if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
    |      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~
    |
  ‘prio_print_opt’: events 4-5
    |
    |  105 |         print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
    |      |                                                     ~~~~^~~~~~~
    |      |                                                         |
    |      |                                                         (4) ...to here
    |      |                                                         (5) dereference of NULL ‘<unknown>’
    |

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 tc/q_prio.c | 2 ++
 1 file changed, 2 insertions(+)

Patch

diff --git a/tc/q_prio.c b/tc/q_prio.c
index c8c6477e1a98..a3781ffe8b2c 100644
--- a/tc/q_prio.c
+++ b/tc/q_prio.c
@@ -101,6 +101,8 @@  int prio_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt)
 	if (parse_rtattr_nested_compat(tb, TCA_PRIO_MAX, opt, qopt,
 					sizeof(*qopt)))
 		return -1;
+	if (qopt == NULL)
+		return -1;	/* missing data from kernel */
 
 	print_uint(PRINT_ANY, "bands", "bands %u ", qopt->bands);
 	open_json_array(PRINT_ANY, "priomap");