Coverity reports a tainted scalar issue (CID 368760) in the
log_received_backtrace() function. The function reads untrusted data
from a file descriptor into a backtrace structure but only validates
the upper bound of n_frames, not the lower bound. Fixes this by
checking both lower and upper bound.
Fixes: 759a29dc2d97 ("backtrace: Extend the backtrace functionality.")
Signed-off-by: Eelco Chaudron <[email protected]>
--
v2:
- Use MIN(MAX()) instead of introducing CLAMP() macro.
---
lib/backtrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/backtrace.c b/lib/backtrace.c
index 65c92fd72..3405591e4 100644
--- a/lib/backtrace.c
+++ b/lib/backtrace.c
@@ -149,7 +149,7 @@ log_received_backtrace(int fd)
if (read_received_backtrace(fd, &bt, sizeof bt)) {
struct ds ds = DS_EMPTY_INITIALIZER;
- bt.n_frames = MIN(bt.n_frames, BACKTRACE_MAX_FRAMES);
+ bt.n_frames = MIN(MAX(bt.n_frames, 0), BACKTRACE_MAX_FRAMES);
ds_put_cstr(&ds, BACKTRACE_DUMP_MSG);
backtrace_format(&ds, &bt, "\n");
--
2.52.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
