[PATCH][net-next] sfc: fix an off-by-one compare on an array size

From: Colin King
Date: Tue Jan 31 2017 - 11:34:07 EST

Next message: eajames: "[PATCH linux v5 5/6] hwmon: occ: Add hwmon implementation for the P8 OCC"
Previous message: Aniroop Mathur: "Re: Re: [PATCH] [v9]Input: evdev: fix bug of dropping valid packet after syn_dropped event"
Next in thread: Edward Cree: "Re: [PATCH][net-next] sfc: fix an off-by-one compare on an array size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

encap_type should be checked to see if it is greater or equal to
the size of array map to fix an off-by-one array size check. This
fixes an array overrun read as detected by static analysis by
CoverityScan, CID#1398883 ("Out-of-bounds-read")

Fixes: 9b41080125176841e ("sfc: insert catch-all filters for encapsulated traffic")
Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
drivers/net/ethernet/sfc/ef10.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c
index 8bec938..0475f18 100644
--- a/drivers/net/ethernet/sfc/ef10.c
+++ b/drivers/net/ethernet/sfc/ef10.c
@@ -5080,7 +5080,7 @@ static int efx_ef10_filter_insert_def(struct efx_nic *efx,

/* quick bounds check (BCAST result impossible) */
BUILD_BUG_ON(EFX_EF10_BCAST != 0);
- if (encap_type > ARRAY_SIZE(map) || map[encap_type] == 0) {
+ if (encap_type >= ARRAY_SIZE(map) || map[encap_type] == 0) {
WARN_ON(1);
return -EINVAL;
}
--
2.10.2

Next message: eajames: "[PATCH linux v5 5/6] hwmon: occ: Add hwmon implementation for the P8 OCC"
Previous message: Aniroop Mathur: "Re: Re: [PATCH] [v9]Input: evdev: fix bug of dropping valid packet after syn_dropped event"
Next in thread: Edward Cree: "Re: [PATCH][net-next] sfc: fix an off-by-one compare on an array size"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]