Dan Carpenter
2012-Dec-07 06:18 UTC
[Bridge] [patch] bridge: make buffer larger in br_setlink()
__IFLA_BRPORT_MAX is one larger than IFLA_BRPORT_MAX. We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past the end of the array when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> --- Only needed in linux-next. diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 850b7d1..cfc5cfe 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -239,7 +239,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh) struct ifinfomsg *ifm; struct nlattr *protinfo; struct net_bridge_port *p; - struct nlattr *tb[IFLA_BRPORT_MAX]; + struct nlattr *tb[__IFLA_BRPORT_MAX]; int err; ifm = nlmsg_data(nlh);
Thomas Graf
2012-Dec-07 09:31 UTC
[Bridge] [patch] bridge: make buffer larger in br_setlink()
On 12/07/12 at 09:18am, Dan Carpenter wrote:> __IFLA_BRPORT_MAX is one larger than IFLA_BRPORT_MAX. We pass > IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 > elements. Also Smatch complains that we read past the end of the array > when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. > > Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> > --- > Only needed in linux-next. > > diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c > index 850b7d1..cfc5cfe 100644 > --- a/net/bridge/br_netlink.c > +++ b/net/bridge/br_netlink.c > @@ -239,7 +239,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh) > struct ifinfomsg *ifm; > struct nlattr *protinfo; > struct net_bridge_port *p; > - struct nlattr *tb[IFLA_BRPORT_MAX]; > + struct nlattr *tb[__IFLA_BRPORT_MAX]; > int err; > > ifm = nlmsg_data(nlh);I know it's nitpicking but could you use IFLA_BRPORT_MAX+1 for consistency?
Dan Carpenter
2012-Dec-07 11:10 UTC
[Bridge] [patch v2] bridge: make buffer larger in br_setlink()
We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past the end of the array when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com> --- v2: Style tweak. Only needed in linux-next. diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 850b7d1..cfc5cfe 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -239,7 +239,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh) struct ifinfomsg *ifm; struct nlattr *protinfo; struct net_bridge_port *p; - struct nlattr *tb[IFLA_BRPORT_MAX]; + struct nlattr *tb[IFLA_BRPORT_MAX + 1]; int err; ifm = nlmsg_data(nlh);