From: Dan Carpenter <dan.carpenter@oracle.com>
To: Florian Fainelli <f.fainelli@gmail.com>
Cc: "; Andrew Lunn" <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH net-next] net: dsa: Fix off by one in dsa_loop_port_vlan_add()
Date: Tue, 19 Jan 2021 17:53:35 +0300 [thread overview]
Message-ID: <YAbyb5kBJQlpYCs2@mwanda> (raw)
The > comparison is intended to be >= to prevent reading beyond the
end of the ps->vlans[] array. It doesn't affect run time though because
the ps->vlans[] array has VLAN_N_VID (4096) elements and the vlan->vid
cannot be > 4094 because it is checked earlier.
Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I'm not 100% sure where this is checked but the other code has comments
and assumptions that say that it is and Smatch says that it is. If I
had to guess, I would say that the check is in the nla policy.
[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
This patch is against linux-next. I could re-write it against net if
you want. Another option would be to just delete the sanity check.
drivers/net/dsa/dsa_loop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/dsa_loop.c b/drivers/net/dsa/dsa_loop.c
index 5f69216376fe..8c283f59158b 100644
--- a/drivers/net/dsa/dsa_loop.c
+++ b/drivers/net/dsa/dsa_loop.c
@@ -207,7 +207,7 @@ static int dsa_loop_port_vlan_add(struct dsa_switch *ds, int port,
struct mii_bus *bus = ps->bus;
struct dsa_loop_vlan *vl;
- if (vlan->vid > ARRAY_SIZE(ps->vlans))
+ if (vlan->vid >= ARRAY_SIZE(ps->vlans))
return -ERANGE;
/* Just do a sleeping operation to make lockdep checks effective */
--
2.29.2
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Florian Fainelli <f.fainelli@gmail.com>
Cc: "; Andrew Lunn" <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Vladimir Oltean <olteanv@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH net-next] net: dsa: Fix off by one in dsa_loop_port_vlan_add()
Date: Tue, 19 Jan 2021 14:53:35 +0000 [thread overview]
Message-ID: <YAbyb5kBJQlpYCs2@mwanda> (raw)
The > comparison is intended to be >= to prevent reading beyond the
end of the ps->vlans[] array. It doesn't affect run time though because
the ps->vlans[] array has VLAN_N_VID (4096) elements and the vlan->vid
cannot be > 4094 because it is checked earlier.
Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I'm not 100% sure where this is checked but the other code has comments
and assumptions that say that it is and Smatch says that it is. If I
had to guess, I would say that the check is in the nla policy.
[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
This patch is against linux-next. I could re-write it against net if
you want. Another option would be to just delete the sanity check.
drivers/net/dsa/dsa_loop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/dsa_loop.c b/drivers/net/dsa/dsa_loop.c
index 5f69216376fe..8c283f59158b 100644
--- a/drivers/net/dsa/dsa_loop.c
+++ b/drivers/net/dsa/dsa_loop.c
@@ -207,7 +207,7 @@ static int dsa_loop_port_vlan_add(struct dsa_switch *ds, int port,
struct mii_bus *bus = ps->bus;
struct dsa_loop_vlan *vl;
- if (vlan->vid > ARRAY_SIZE(ps->vlans))
+ if (vlan->vid >= ARRAY_SIZE(ps->vlans))
return -ERANGE;
/* Just do a sleeping operation to make lockdep checks effective */
--
2.29.2
next reply other threads:[~2021-01-19 15:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-19 14:53 Dan Carpenter [this message]
2021-01-19 14:53 ` [PATCH net-next] net: dsa: Fix off by one in dsa_loop_port_vlan_add() Dan Carpenter
2021-01-19 17:47 ` Florian Fainelli
2021-01-19 17:47 ` Florian Fainelli
2021-01-21 5:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAbyb5kBJQlpYCs2@mwanda \
--to=dan.carpenter@oracle.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=vivien.didelot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.