From patchwork Tue Sep 29 21:27:05 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sascha Hlusiak X-Patchwork-Id: 34469 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 48F06B7C17 for ; Wed, 30 Sep 2009 07:27:27 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752094AbZI2V1S (ORCPT ); Tue, 29 Sep 2009 17:27:18 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751677AbZI2V1R (ORCPT ); Tue, 29 Sep 2009 17:27:17 -0400 Received: from moutng.kundenserver.de ([212.227.17.10]:49185 "EHLO moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751347AbZI2V1R (ORCPT ); Tue, 29 Sep 2009 17:27:17 -0400 Received: from localhost.localdomain (g226195177.adsl.alicedsl.de [92.226.195.177]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0MZwWl-1Me5vM0bqZ-00LpD8; Tue, 29 Sep 2009 23:27:20 +0200 From: Sascha Hlusiak To: netdev@vger.kernel.org Cc: fred.l.templin@boeing.com, Sascha Hlusiak Subject: [PATCH] sit: fix off-by-one in ipip6_tunnel_get_prl Date: Tue, 29 Sep 2009 23:27:05 +0200 Message-Id: <1254259625-29320-1-git-send-email-contact@saschahlusiak.de> X-Mailer: git-send-email 1.6.5.rc1 X-Provags-ID: V01U2FsdGVkX18I2X29GrmmH+LyumicizImXjfYucR0FREfVbY bEtRSzrsx+dwh3iHPoG8bLhtIjMa4A0AhGC0LAfKLaeRvst2Bj uPDb9D7NFJdRpZY566sKQ== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org When requesting all prl entries (kprl.addr == INADDR_ANY) and there are more prl entries than there is space passed from userspace, the existing code would always copy cmax+1 entries, which is more than can be handled. This patch makes the kernel copy only exactly cmax entries. Signed-off-by: Sascha Hlusiak Acked-By: Fred L. Templin --- net/ipv6/sit.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index d65e0c4..dbd19a7 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -274,7 +274,7 @@ static int ipip6_tunnel_get_prl(struct ip_tunnel *t, c = 0; for (prl = t->prl; prl; prl = prl->next) { - if (c > cmax) + if (c >= cmax) break; if (kprl.addr != htonl(INADDR_ANY) && prl->addr != kprl.addr) continue;