All of lore.kernel.org
 help / color / mirror / Atom feed
* re: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
@ 2014-10-07 14:26 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-10-07 14:26 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

Hello Pablo Neira Ayuso,

The patch 51b0a5d8c21a: "netfilter: nft_reject: introduce icmp code
abstraction for inet and bridge" from Sep 26, 2014, leads to the
following static checker warning:

	net/netfilter/nft_reject.c:87 nft_reject_icmp_code()
	error: buffer overflow 'icmp_code_v4' 5 <= 5

net/netfilter/nft_reject.c
    75  static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX] = {
    76          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMP_NET_UNREACH,
    77          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMP_PORT_UNREACH,
    78          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMP_HOST_UNREACH,
    79          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMP_PKT_FILTERED,
    80  };
    81  
    82  int nft_reject_icmp_code(u8 code)
    83  {
    84          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Obviously this should be >= instead of >, but I also had a question
about NFT_REJECT_ICMPX_MAX.

#define NFT_REJECT_ICMPX_MAX   (__NFT_REJECT_ICMPX_MAX + 1)

__NFT_REJECT_ICMPX_MAX is already plus one so it feels like
NFT_REJECT_ICMPX_MAX is one higher than needed.  (But it also has been a
long day and I'm no longer sure I know how to add 1 + 4).

    85                  return -EINVAL;
    86  
    87          return icmp_code_v4[code];
    88  }
    89  
    90  EXPORT_SYMBOL_GPL(nft_reject_icmp_code);
    91  
    92  
    93  static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX] = {
    94          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMPV6_NOROUTE,
    95          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMPV6_PORT_UNREACH,
    96          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMPV6_ADDR_UNREACH,
    97          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMPV6_ADM_PROHIBITED,
    98  };
    99  
   100  int nft_reject_icmpv6_code(u8 code)
   101  {
   102          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same thing.

   103                  return -EINVAL;
   104  
   105          return icmp_code_v6[code];
   106  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2014-10-07 14:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-07 14:26 netfilter: nft_reject: introduce icmp code abstraction for inet and bridge Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.