Message ID | 20141122183059.GC6994@mwanda |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
On Sat, Nov 22, 2014 at 10:30 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote: > There is a typo here, "array" is null so we can't dereference it and > also the size calculation should match the kzalloc() on the lines > before. Not sure what tree you're looking at... it was more than typo, but it was fixed 4 days ago. See commit daaf427c6ab39 ("bpf: fix arraymap NULL deref and missing overflow and zero size checks") -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c index 58b80c1..662a412 100644 --- a/kernel/bpf/arraymap.c +++ b/kernel/bpf/arraymap.c @@ -38,7 +38,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr) array = kzalloc(sizeof(*array) + attr->max_entries * elem_size, GFP_USER | __GFP_NOWARN); if (!array) { - array = vzalloc(array->map.max_entries * array->elem_size); + array = vzalloc(sizeof(*array) + attr->max_entries * elem_size); if (!array) return ERR_PTR(-ENOMEM); }
There is a typo here, "array" is null so we can't dereference it and also the size calculation should match the kzalloc() on the lines before. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html