From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 15 Apr 2013 08:02:03 +0000 (+0300)
Subject: user_data: using a user supplied offset into an known array give safe data
X-Git-Tag: 1.59~197
X-Git-Url: https://repo.or.cz/w/smatch.git/commitdiff_plain/585dcf941862452a588b459845f99ca72a09727b

user_data: using a user supplied offset into an known array give safe data

The situation here is:

	x = trusted_kernel_array[untrusted_user_offset];

At the end then x is trusted kernel data.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---

diff --git a/check_user_data.c b/check_user_data.c
index 283868ab..b5e3b86a 100644
--- a/check_user_data.c
+++ b/check_user_data.c
@@ -156,6 +156,8 @@ int is_user_data(struct expression *expr)
 	if (expr->type == EXPR_BINOP) {
 		if (is_user_data(expr->left))
 			return 1;
+		if (is_array(expr))
+			return 0;
 		if (is_user_data(expr->right))
 			return 1;
 		return 0;