[openib-general] Coverity found iSER bug?
Roland Dreier
rdreier at cisco.com
Thu Sep 28 16:53:18 PDT 2006
(This is from the Coverity scanner, CID 1396)
In iser_initiator.c there is suspicious code in iser_rcv_completion().
We start with
char *rx_data = NULL;
int rx_data_len = 0;
and then do
if (dto_xfer_len > ISER_TOTAL_HEADERS_LEN) { /* we have data */
rx_data_len = dto_xfer_len - ISER_TOTAL_HEADERS_LEN;
rx_data = dto->regd[1]->virt_addr;
rx_data += dto->offset[1];
}
I see no assignment to rx_data if dto_xfer_len <= ISER_TOTAL_HEADERS_LEN.
Then after a bunch of other stuff, we do
iscsi_iser_recv(conn->iscsi_conn, hdr, rx_data, rx_data_len);
Coverity eventually follows this path to iscsi_scsi_cmd_rsp(), which
might dereference rx_data directly.
Is this a "can't happen" false positive or is there really a problem here?
- R.
More information about the general
mailing list