| Message ID | 20180127035000.29962-1-jakub.kicinski@netronome.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | BPF Maintainers |
| Headers | show |
| Series | [bpf-next] netdevsim: fix overflow on the error path | expand |
On Fri, Jan 26, 2018 at 07:50:00PM -0800, Jakub Kicinski wrote: > Undo loop condition on the error path would cause the i counter > to go below zero, if allocation failure happened with the first > (i.e. 0th) element of the array. > > Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: Simon Horman <simon.horman@netronome.com>
On 01/27/2018 04:50 AM, Jakub Kicinski wrote: > Undo loop condition on the error path would cause the i counter > to go below zero, if allocation failure happened with the first > (i.e. 0th) element of the array. > > Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Now that Linus has pulled everything, and we fast-forwarded bpf, applied to bpf tree, thanks Jakub!
diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c index de73c1ff0939..75c25306d234 100644 --- a/drivers/net/netdevsim/bpf.c +++ b/drivers/net/netdevsim/bpf.c @@ -480,8 +480,7 @@ static int nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) { struct nsim_bpf_bound_map *nmap; - unsigned int i; - int err; + int i, err; if (WARN_ON(offmap->map.map_type != BPF_MAP_TYPE_ARRAY && offmap->map.map_type != BPF_MAP_TYPE_HASH)) @@ -518,7 +517,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) return 0; err_free: - while (--i) { + while (--i >= 0) { kfree(nmap->entry[i].key); kfree(nmap->entry[i].value); }
Undo loop condition on the error path would cause the i counter to go below zero, if allocation failure happened with the first (i.e. 0th) element of the array. Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> --- drivers/net/netdevsim/bpf.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)