On 2014-03-04 04:27, Dave Jones wrote: > I found this in coverity, and I think it's a real bug.. > > hsr_register_frame_in does a check that dev_idx is between 0 and 2, > therefore, a dev_idx of 2 is possible when it gets to the array writes > at the end of the function. Thanks for finding this; it is a bug (although I don't think it has actually lead to any out of bound accesses). However, I think you are a bit late - I believe this was fixed in a patch from Dan Carpenter just a few days ago. See /lists/netdev/msg272815.html > #define HSR_MAX_DEV (HSR_DEV_MASTER + 1) > > The + 1 seems odd, and looking at the other uses of HSR_MAX_DEV, I can't > figure out why it's there. > > Dave > Yes, maybe the names are a bit misleading, and they should be called something like HSR_DEVS and HSR_SLAVES instead. I.e.: some-type array-name[HSR_DEVS]; ... where the last element is accessed by array-name[HSR_MAX_DEV]. -- Arvid Brodin | Consultant (Linux) ALTEN | Knarrarnäsgatan 7 | SE-164 40 Kista | Sweden arvid.brodin@xxxxxxxx | www.alten.se/en/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html