net/atm/addr.c

Bug Summary

File:	net/atm/addr.c
Warning:	line 157, column 6 Copies out a struct with uncleared padding (>= 2 bytes)

Annotated Source Code

/* net/atm/addr.c - Local ATM address registry */

/* Written 1995-2000 by Werner Almesberger, EPFL LRC/ICA */

#include <linux1/atm.h>

#include <linux1/atmdev.h>

#include <linux1/slab.h>

#include <linux1/uaccess.h>

#include "signaling.h"

#include "addr.h"

static int check_addr(const struct sockaddr_atmsvc *addr)

{

int i;

if (addr->sas_family != AF_ATMSVC20)

return -EAFNOSUPPORT97;

if (!*addr->sas_addr.pub)

return *addr->sas_addr.prv ? 0 : -EINVAL22;

for (i = 1; i < ATM_E164_LEN12 + 1; i++) /* make sure it's \0-terminated */

if (!addr->sas_addr.pub[i])

return 0;

return -EINVAL22;

}

static int identical(const struct sockaddr_atmsvc *a, const struct sockaddr_atmsvc *b)

{

if (*a->sas_addr.prv)

if (memcmp(a->sas_addr.prv, b->sas_addr.prv, ATM_ESA_LEN20))

return 0;

if (!*a->sas_addr.pub)

return !*b->sas_addr.pub;

if (!*b->sas_addr.pub)

return 0;

return !strcmp(a->sas_addr.pub, b->sas_addr.pub);

}

static void notify_sigd(const struct atm_dev *dev)

{

struct sockaddr_atmpvc pvc;

pvc.sap_addr.itf = dev->number;

sigd_enq(NULL((void *)0), as_itf_notify, NULL((void *)0), &pvc, NULL((void *)0));

}

void atm_reset_addr(struct atm_dev *dev, enum atm_addr_type_t atype)

{

unsigned long flags;

struct atm_dev_addr *this, *p;

struct list_head *head;

spin_lock_irqsave(&dev->lock, flags)do { do { ({ unsigned long __dummy; typeof(flags) __dummy2; (
void)(&__dummy == &__dummy2); 1; }); flags = _raw_spin_lock_irqsave
(spinlock_check(&dev->lock)); } while (0); } while (0);

if (atype == ATM_ADDR_LECS)

head = &dev->lecs;

else

head = &dev->local;

list_for_each_entry_safe(this, p, head, entry)for (this = ({ const typeof( ((typeof(*this) *)0)->entry )
*__mptr = ((head)->next); (typeof(*this) *)( (char *)__mptr
- __builtin_offsetof(typeof(*this), entry) );}), p = ({ const
typeof( ((typeof(*(this)) *)0)->entry ) *__mptr = ((this)
->entry.next); (typeof(*(this)) *)( (char *)__mptr - __builtin_offsetof
(typeof(*(this)), entry) );}); &this->entry != (head);
this = p, p = ({ const typeof( ((typeof(*(p)) *)0)->entry
) *__mptr = ((p)->entry.next); (typeof(*(p)) *)( (char *)
__mptr - __builtin_offsetof(typeof(*(p)), entry) );})) {

list_del(&this->entry);

kfree(this);

}

spin_unlock_irqrestore(&dev->lock, flags);

if (head == &dev->local)

notify_sigd(dev);

}

int atm_add_addr(struct atm_dev *dev, const struct sockaddr_atmsvc *addr,

enum atm_addr_type_t atype)

{

unsigned long flags;

struct atm_dev_addr *this;

struct list_head *head;

int error;

error = check_addr(addr);

if (error)

return error;

if (atype == ATM_ADDR_LECS)

head = &dev->lecs;

else

head = &dev->local;

list_for_each_entry(this, head, entry)for (this = ({ const typeof( ((typeof(*this) *)0)->entry )
*__mptr = ((head)->next); (typeof(*this) *)( (char *)__mptr
- __builtin_offsetof(typeof(*this), entry) );}); &this->
entry != (head); this = ({ const typeof( ((typeof(*(this)) *)
0)->entry ) *__mptr = ((this)->entry.next); (typeof(*(this
)) *)( (char *)__mptr - __builtin_offsetof(typeof(*(this)), entry
) );})) {

if (identical(&this->addr, addr)) {

spin_unlock_irqrestore(&dev->lock, flags);

return -EEXIST17;

}

this = kmalloc(sizeof(struct atm_dev_addr), GFP_ATOMIC((( gfp_t)0x20u)|(( gfp_t)0x80000u)|(( gfp_t)0x2000000u)));

if (!this) {

spin_unlock_irqrestore(&dev->lock, flags);

return -ENOMEM12;

}

this->addr = *addr;

list_add(&this->entry, head);

spin_unlock_irqrestore(&dev->lock, flags);

if (head == &dev->local)

notify_sigd(dev);

return 0;

100

}

101

102

int atm_del_addr(struct atm_dev *dev, const struct sockaddr_atmsvc *addr,

103

enum atm_addr_type_t atype)

104

{

105

unsigned long flags;

106

struct atm_dev_addr *this;

107

struct list_head *head;

108

int error;

109

110

error = check_addr(addr);

111

if (error)

112

return error;

113

114

if (atype == ATM_ADDR_LECS)

115

head = &dev->lecs;

116

else

117

head = &dev->local;

118

119

if (identical(&this->addr, addr)) {

120

list_del(&this->entry);

121

spin_unlock_irqrestore(&dev->lock, flags);

122

kfree(this);

123

if (head == &dev->local)

124

notify_sigd(dev);

125

return 0;

126

}

127

}

128

spin_unlock_irqrestore(&dev->lock, flags);

129

return -ENOENT2;

130

}

131

132

int atm_get_addr(struct atm_dev *dev, struct sockaddr_atmsvc __user * buf,

133

size_t size, enum atm_addr_type_t atype)

134

{

135

unsigned long flags;

136

struct atm_dev_addr *this;

137

struct list_head *head;

138

int total = 0, error;

139

struct sockaddr_atmsvc *tmp_buf, *tmp_bufp;

140

141

142

if (atype == ATM_ADDR_LECS)

Assuming 'atype' is equal to ATM_ADDR_LECS

→

←

Taking true branch

→

143

head = &dev->lecs;

144

else

145

head = &dev->local;

146

147

total += sizeof(struct sockaddr_atmsvc);

148

tmp_buf = tmp_bufp = kmalloc(total, GFP_ATOMIC((( gfp_t)0x20u)|(( gfp_t)0x80000u)|(( gfp_t)0x2000000u)));

149

if (!tmp_buf) {

←

Assuming 'tmp_buf' is non-null

→

←

Taking false branch

→

150

spin_unlock_irqrestore(&dev->lock, flags);

151

return -ENOMEM12;

152

}

153

154

memcpy(tmp_bufp++, &this->addr, sizeof(struct sockaddr_atmsvc))({ size_t __len = (sizeof(struct sockaddr_atmsvc)); void *__ret
; if (__builtin_constant_p(sizeof(struct sockaddr_atmsvc)) &&
__len >= 64) __ret = __memcpy((tmp_bufp++), (&this->
addr), __len); else __ret = __builtin_memcpy((tmp_bufp++), (&
this->addr), __len); __ret; });

155

spin_unlock_irqrestore(&dev->lock, flags);

156

error = total > size ? -E2BIG7 : total;

←

Assuming 'total' is <= 'size'

→

←

'?' condition is false

→

157

if (copy_to_user(buf, tmp_buf, total < size ? total : size))