[openib-general] Coverity found iSER bug?
Erez Zilber
erezz at voltaire.com
Tue Oct 3 02:40:38 PDT 2006
Roland Dreier wrote:
>
> (This is from the Coverity scanner, CID 1396)
>
> In iser_initiator.c there is suspicious code in iser_rcv_completion().
> We start with
>
> char *rx_data = NULL;
> int rx_data_len = 0;
>
> and then do
>
> if (dto_xfer_len > ISER_TOTAL_HEADERS_LEN) { /* we have data */
> rx_data_len = dto_xfer_len - ISER_TOTAL_HEADERS_LEN;
> rx_data = dto->regd[1]->virt_addr;
> rx_data += dto->offset[1];
> }
>
> I see no assignment to rx_data if dto_xfer_len <= ISER_TOTAL_HEADERS_LEN.
> Then after a bunch of other stuff, we do
>
> iscsi_iser_recv(conn->iscsi_conn, hdr, rx_data, rx_data_len);
>
> Coverity eventually follows this path to iscsi_scsi_cmd_rsp(), which
> might dereference rx_data directly.
>
> Is this a "can't happen" false positive or is there really a problem here?
>
> - R.
>
Roland,
This cannot happen. If there's no data (dto_xfer_len <=
ISER_TOTAL_HEADERS_LEN), iSER & open-iscsi code will not try to look
into the NULL buffer. Just to be sure, I checked the possible paths from
iscsi_iser_recv and it seems ok.
Thanks
--
____________________________________________________________
Erez Zilber | 972-9-971-7689
Software Engineer, Storage Team
Voltaire – _The Grid Backbone_
__
www.voltaire.com <http://www.voltaire.com/>
More information about the general
mailing list