Re: out of bounds writes in net/hsr/

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2014-03-04 04:27, Dave Jones wrote:
> I found this in coverity, and I think it's a real bug..
> 
> hsr_register_frame_in does a check that dev_idx is between 0 and 2,
> therefore, a dev_idx of 2 is possible when it gets to the array writes
> at the end of the function. 

Thanks for finding this; it is a bug (although I don't think it has 
actually lead to any out of bound accesses). 

However, I think you are a bit late - I believe this was fixed in a patch 
from Dan Carpenter just a few days ago. See

/lists/netdev/msg272815.html


> #define HSR_MAX_DEV     (HSR_DEV_MASTER + 1)
> 
> The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't
> figure out why it's there.
> 
> 	Dave
> 

Yes, maybe the names are a bit misleading, and they should be called something 
like HSR_DEVS and HSR_SLAVES instead. I.e.:

	some-type array-name[HSR_DEVS];

... where the last element is accessed by array-name[HSR_MAX_DEV].



-- 
Arvid Brodin | Consultant (Linux)
ALTEN | Knarrarnäsgatan 7 | SE-164 40 Kista | Sweden
arvid.brodin@xxxxxxxx | www.alten.se/en/
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel Discussion]     [TCP Instrumentation]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux WPAN Networking]     [Linux Host AP]     [Linux WPAN Networking]     [Linux Bluetooth Networking]     [Linux ATH6KL Networking]     [Linux Networking Users]     [Linux Coverity]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux IDE]     [Linux RAID]     [Linux SCSI]