[openib-general] Coverity found iSER bug?

Roland Dreier rdreier at cisco.com
Thu Sep 28 16:53:18 PDT 2006


(This is from the Coverity scanner, CID 1396)

In iser_initiator.c there is suspicious code in iser_rcv_completion().
We start with

	char   *rx_data = NULL;
	int     rx_data_len = 0;

and then do

	if (dto_xfer_len > ISER_TOTAL_HEADERS_LEN) { /* we have data */
		rx_data_len = dto_xfer_len - ISER_TOTAL_HEADERS_LEN;
		rx_data     = dto->regd[1]->virt_addr;
		rx_data    += dto->offset[1];
	}

I see no assignment to rx_data if dto_xfer_len <= ISER_TOTAL_HEADERS_LEN.
Then after a bunch of other stuff, we do

	iscsi_iser_recv(conn->iscsi_conn, hdr, rx_data, rx_data_len);

Coverity eventually follows this path to iscsi_scsi_cmd_rsp(), which
might dereference rx_data directly.

Is this a "can't happen" false positive or is there really a problem here?

 - R.




More information about the general mailing list