| Message ID | 20190403053416.GA21913@kadam (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [net] 6lowpan: Off by one handling ->nexthdr | expand |
Hi Dan, On Wed, 2019-04-03 at 08:34 +0300, Dan Carpenter wrote: > NEXTHDR_MAX is 255. What happens here is that we take a u8 value > "hdr->nexthdr" from the network and then look it up in > lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff > then > we read one element beyond the end of the array so the array needs to > be one element larger. > > Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This is the only place which uses the NEXTHDR_MAX define, so I > considered > changing that to 256 instead. Either fix would work. > > net/6lowpan/nhc.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/net/6lowpan/nhc.c b/net/6lowpan/nhc.c > index 4fa2fdda174d..9e56fb98f33c 100644 > --- a/net/6lowpan/nhc.c > +++ b/net/6lowpan/nhc.c > @@ -18,7 +18,7 @@ > #include "nhc.h" > > static struct rb_root rb_root = RB_ROOT; > -static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX]; > +static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX + 1]; > static DEFINE_SPINLOCK(lowpan_nhc_lock); > > static int lowpan_nhc_insert(struct lowpan_nhc *nhc) Nice catch! Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com> Cheers, Jukka
Hi, On Wed, Apr 03, 2019 at 08:34:16AM +0300, Dan Carpenter wrote: > NEXTHDR_MAX is 255. What happens here is that we take a u8 value > "hdr->nexthdr" from the network and then look it up in > lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then > we read one element beyond the end of the array so the array needs to > be one element larger. > > Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Alexander Aring <aring@mojatatu.com> Thanks. - Alex
Hi Dan, > NEXTHDR_MAX is 255. What happens here is that we take a u8 value > "hdr->nexthdr" from the network and then look it up in > lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then > we read one element beyond the end of the array so the array needs to > be one element larger. > > Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > This is the only place which uses the NEXTHDR_MAX define, so I considered > changing that to 256 instead. Either fix would work. > > net/6lowpan/nhc.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/6lowpan/nhc.c b/net/6lowpan/nhc.c index 4fa2fdda174d..9e56fb98f33c 100644 --- a/net/6lowpan/nhc.c +++ b/net/6lowpan/nhc.c @@ -18,7 +18,7 @@ #include "nhc.h" static struct rb_root rb_root = RB_ROOT; -static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX]; +static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX + 1]; static DEFINE_SPINLOCK(lowpan_nhc_lock); static int lowpan_nhc_insert(struct lowpan_nhc *nhc)
NEXTHDR_MAX is 255. What happens here is that we take a u8 value "hdr->nexthdr" from the network and then look it up in lowpan_nexthdr_nhcs[]. The problem is that if hdr->nexthdr is 0xff then we read one element beyond the end of the array so the array needs to be one element larger. Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- This is the only place which uses the NEXTHDR_MAX define, so I considered changing that to 256 instead. Either fix would work. net/6lowpan/nhc.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)