* [bug report] ipv6: fix ip6_tnl_parse_tlv_enc_lim()
@ 2017-01-31 11:12 Dan Carpenter
2017-01-31 14:22 ` Eric Dumazet
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2017-01-31 11:12 UTC (permalink / raw)
To: kernel-janitors
Hello Eric Dumazet,
The patch fbfa743a9d2a: "ipv6: fix ip6_tnl_parse_tlv_enc_lim()" from
Jan 23, 2017, leads to the following static checker warning:
net/ipv6/ip6_tunnel.c:444 ip6_tnl_parse_tlv_enc_lim()
warn: potential pointer math issue ('skb->data' is a 24 bit pointer)
net/ipv6/ip6_tunnel.c
437 while (1) {
438 struct ipv6_tlv_tnl_enc_lim *tel;
439
440 /* No more room for encapsulation limit */
441 if (i + sizeof(*tel) > optlen)
442 break;
443
444 tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
This should be:
tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
Someone probably already reported this?
445 /* return index of option if found and valid */
446 if (tel->type = IPV6_TLV_TNL_ENCAP_LIMIT &&
447 tel->length = 1)
448 return i + off - nhoff;
449 /* else jump to next option */
450 if (tel->type)
451 i += tel->length + 2;
452 else
453 i++;
454 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [bug report] ipv6: fix ip6_tnl_parse_tlv_enc_lim()
2017-01-31 11:12 [bug report] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Dan Carpenter
@ 2017-01-31 14:22 ` Eric Dumazet
0 siblings, 0 replies; 2+ messages in thread
From: Eric Dumazet @ 2017-01-31 14:22 UTC (permalink / raw)
To: kernel-janitors
Hi Dan
Please send an official patch, thanks !
On Tue, Jan 31, 2017 at 3:12 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> Hello Eric Dumazet,
>
> The patch fbfa743a9d2a: "ipv6: fix ip6_tnl_parse_tlv_enc_lim()" from
> Jan 23, 2017, leads to the following static checker warning:
>
> net/ipv6/ip6_tunnel.c:444 ip6_tnl_parse_tlv_enc_lim()
> warn: potential pointer math issue ('skb->data' is a 24 bit pointer)
>
> net/ipv6/ip6_tunnel.c
> 437 while (1) {
> 438 struct ipv6_tlv_tnl_enc_lim *tel;
> 439
> 440 /* No more room for encapsulation limit */
> 441 if (i + sizeof(*tel) > optlen)
> 442 break;
> 443
> 444 tel = (struct ipv6_tlv_tnl_enc_lim *) skb->data + off + i;
>
> This should be:
> tel = (struct ipv6_tlv_tnl_enc_lim *)(skb->data + off + i);
>
>
> Someone probably already reported this?
>
> 445 /* return index of option if found and valid */
> 446 if (tel->type = IPV6_TLV_TNL_ENCAP_LIMIT &&
> 447 tel->length = 1)
> 448 return i + off - nhoff;
> 449 /* else jump to next option */
> 450 if (tel->type)
> 451 i += tel->length + 2;
> 452 else
> 453 i++;
> 454 }
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-31 14:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-31 11:12 [bug report] ipv6: fix ip6_tnl_parse_tlv_enc_lim() Dan Carpenter
2017-01-31 14:22 ` Eric Dumazet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.