All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: re: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
Date: Tue, 7 Oct 2014 17:26:51 +0300	[thread overview]
Message-ID: <20141007142651.GA29598@mwanda> (raw)

Hello Pablo Neira Ayuso,

The patch 51b0a5d8c21a: "netfilter: nft_reject: introduce icmp code
abstraction for inet and bridge" from Sep 26, 2014, leads to the
following static checker warning:

	net/netfilter/nft_reject.c:87 nft_reject_icmp_code()
	error: buffer overflow 'icmp_code_v4' 5 <= 5

net/netfilter/nft_reject.c
    75  static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX] = {
    76          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMP_NET_UNREACH,
    77          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMP_PORT_UNREACH,
    78          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMP_HOST_UNREACH,
    79          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMP_PKT_FILTERED,
    80  };
    81  
    82  int nft_reject_icmp_code(u8 code)
    83  {
    84          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Obviously this should be >= instead of >, but I also had a question
about NFT_REJECT_ICMPX_MAX.

#define NFT_REJECT_ICMPX_MAX   (__NFT_REJECT_ICMPX_MAX + 1)

__NFT_REJECT_ICMPX_MAX is already plus one so it feels like
NFT_REJECT_ICMPX_MAX is one higher than needed.  (But it also has been a
long day and I'm no longer sure I know how to add 1 + 4).

    85                  return -EINVAL;
    86  
    87          return icmp_code_v4[code];
    88  }
    89  
    90  EXPORT_SYMBOL_GPL(nft_reject_icmp_code);
    91  
    92  
    93  static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX] = {
    94          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMPV6_NOROUTE,
    95          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMPV6_PORT_UNREACH,
    96          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMPV6_ADDR_UNREACH,
    97          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMPV6_ADM_PROHIBITED,
    98  };
    99  
   100  int nft_reject_icmpv6_code(u8 code)
   101  {
   102          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same thing.

   103                  return -EINVAL;
   104  
   105          return icmp_code_v6[code];
   106  }

regards,
dan carpenter

                 reply	other threads:[~2014-10-07 14:27 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141007142651.GA29598@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.