From e02c5c01a0cb16df56f021cf42aa8e3425ac6b38 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 14 Aug 2012 10:41:13 +0300
Subject: [PATCH] user_data: skb->data is user data

Dan Rosenberg found a bug where people trusted skb->data to hold valid
data.  This is inspired by that.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 check_user_data.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/check_user_data.c b/check_user_data.c
index 7284e0bc..bc737af6 100644
--- a/check_user_data.c
+++ b/check_user_data.c
@@ -16,12 +16,44 @@
 
 #include "smatch.h"
 #include "smatch_slist.h"
+#include "smatch_extra.h"
 
 static int my_id;
 
 STATE(capped);
 STATE(user_data);
 
+static int is_skb_data(struct expression *expr)
+{
+	struct symbol *sym;
+	char *name;
+	int len;
+	int ret = 0;
+
+	name = get_variable_from_expr(expr, &sym);
+	if (!name || !sym)
+		goto free;
+
+	sym = get_base_type(sym);
+	if (!sym || sym->type != SYM_PTR)
+		goto free;
+	sym = get_base_type(sym);
+	if (!sym || sym->type != SYM_STRUCT || !sym->ident)
+		goto free;
+	if (strcmp(sym->ident->name, "sk_buff") != 0)
+		goto free;
+
+	len = strlen(name);
+	if (len < 6)
+		goto free;
+	if (strcmp(name + len - 6, "->data") == 0)
+		ret = 1;
+
+free:
+	free_string(name);
+	return ret;
+}
+
 int is_user_data(struct expression *expr)
 {
 	struct state_list *slist = NULL;
@@ -35,6 +67,8 @@ int is_user_data(struct expression *expr)
 		return 0;
 	if (is_capped(expr))
 		return 0;
+	if (is_skb_data(expr))
+		return 1;
 	if (expr->type == EXPR_BINOP) {
 		if (is_user_data(expr->left))
 			return 1;
-- 
2.11.4.GIT