| Message ID | YAbyb5kBJQlpYCs2@mwanda (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 646188c9550f74454dfc172a347dad693e5bfc84 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net-next] net: dsa: Fix off by one in dsa_loop_port_vlan_add() | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net-next |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | success | CCed 7 of 7 maintainers |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
On 1/19/2021 6:53 AM, Dan Carpenter wrote: > The > comparison is intended to be >= to prevent reading beyond the > end of the ps->vlans[] array. It doesn't affect run time though because > the ps->vlans[] array has VLAN_N_VID (4096) elements and the vlan->vid > cannot be > 4094 because it is checked earlier. > > Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Hello: This patch was applied to netdev/net-next.git (refs/heads/master): On Tue, 19 Jan 2021 17:53:35 +0300 you wrote: > The > comparison is intended to be >= to prevent reading beyond the > end of the ps->vlans[] array. It doesn't affect run time though because > the ps->vlans[] array has VLAN_N_VID (4096) elements and the vlan->vid > cannot be > 4094 because it is checked earlier. > > Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > > [...] Here is the summary with links: - [net-next] net: dsa: Fix off by one in dsa_loop_port_vlan_add() https://git.kernel.org/netdev/net-next/c/646188c9550f You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/drivers/net/dsa/dsa_loop.c b/drivers/net/dsa/dsa_loop.c index 5f69216376fe..8c283f59158b 100644 --- a/drivers/net/dsa/dsa_loop.c +++ b/drivers/net/dsa/dsa_loop.c @@ -207,7 +207,7 @@ static int dsa_loop_port_vlan_add(struct dsa_switch *ds, int port, struct mii_bus *bus = ps->bus; struct dsa_loop_vlan *vl; - if (vlan->vid > ARRAY_SIZE(ps->vlans)) + if (vlan->vid >= ARRAY_SIZE(ps->vlans)) return -ERANGE; /* Just do a sleeping operation to make lockdep checks effective */
The > comparison is intended to be >= to prevent reading beyond the end of the ps->vlans[] array. It doesn't affect run time though because the ps->vlans[] array has VLAN_N_VID (4096) elements and the vlan->vid cannot be > 4094 because it is checked earlier. Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- I'm not 100% sure where this is checked but the other code has comments and assumptions that say that it is and Smatch says that it is. If I had to guess, I would say that the check is in the nla policy. [NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2), This patch is against linux-next. I could re-write it against net if you want. Another option would be to just delete the sanity check. drivers/net/dsa/dsa_loop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)