From: Ralf Baechle <ralf@linux-mips.org>
To: "David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Off by one buglets
Date: Fri, 30 Jun 2006 15:29:01 +0100 [thread overview]
Message-ID: <20060630142901.GA13898@linux-mips.org> (raw)
Ages ago, changeset
http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=22d864d542a0b92116751186f1794c7d0f1ca1b9
which converted several protocols from using open coded comparisons to
use the helper function sk_acceptq_is_full() did introduce a bunch of
off by one errors - sk_acceptq_is_full checks for
sk_ack_backlog > sk_max_ack_backlog but it replaced >= or == comparisons.
Below patch is really only meant to illustrate the change, not to be
applied.
Ralf
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
net/atm/signaling.c | 3 ++-
net/ax25/ax25_in.c | 2 +-
net/decnet/dn_nsp_in.c | 2 +-
net/netrom/af_netrom.c | 2 +-
net/rose/af_rose.c | 2 +-
net/sctp/sm_statefuns.c | 2 +-
net/x25/af_x25.c | 2 +-
7 files changed, 8 insertions(+), 7 deletions(-)
Index: linux-net/net/atm/signaling.c
===================================================================
--- linux-net.orig/net/atm/signaling.c 2006-06-29 17:11:33.000000000 +0100
+++ linux-net/net/atm/signaling.c 2006-06-30 15:11:53.000000000 +0100
@@ -132,7 +132,8 @@ static int sigd_send(struct atm_vcc *vcc
sk = sk_atm(vcc);
DPRINTK("as_indicate!!!\n");
lock_sock(sk);
- if (sk_acceptq_is_full(sk)) {
+ if (vcc->sk->sk_ack_backlog ==
+ vcc->sk->sk_max_ack_backlog) {
sigd_enq(NULL,as_reject,vcc,NULL,NULL);
dev_kfree_skb(skb);
goto as_indicate_complete;
Index: linux-net/net/ax25/ax25_in.c
===================================================================
--- linux-net.orig/net/ax25/ax25_in.c 2006-06-29 17:11:33.000000000 +0100
+++ linux-net/net/ax25/ax25_in.c 2006-06-30 15:11:53.000000000 +0100
@@ -351,7 +351,7 @@ static int ax25_rcv(struct sk_buff *skb,
if (sk != NULL) {
bh_lock_sock(sk);
- if (sk_acceptq_is_full(sk) ||
+ if (sk->sk_ack_backlog == sk->sk_max_ack_backlog ||
(make = ax25_make_new(sk, ax25_dev)) == NULL) {
if (mine)
ax25_return_dm(dev, &src, &dest, &dp);
Index: linux-net/net/decnet/dn_nsp_in.c
===================================================================
--- linux-net.orig/net/decnet/dn_nsp_in.c 2006-06-29 17:11:33.000000000 +0100
+++ linux-net/net/decnet/dn_nsp_in.c 2006-06-30 15:11:53.000000000 +0100
@@ -324,7 +324,7 @@ err_out:
static void dn_nsp_conn_init(struct sock *sk, struct sk_buff *skb)
{
- if (sk_acceptq_is_full(sk)) {
+ if (sk->sk_ack_backlog >= sk->sk_max_ack_backlog) {
kfree_skb(skb);
return;
}
Index: linux-net/net/netrom/af_netrom.c
===================================================================
--- linux-net.orig/net/netrom/af_netrom.c 2006-06-30 14:46:42.000000000 +0100
+++ linux-net/net/netrom/af_netrom.c 2006-06-30 15:11:53.000000000 +0100
@@ -933,7 +933,7 @@ int nr_rx_frame(struct sk_buff *skb, str
user = (ax25_address *)(skb->data + 21);
- if (sk == NULL || sk_acceptq_is_full(sk) ||
+ if (sk == NULL || sk->sk_ack_backlog == sk->sk_max_ack_backlog ||
(make = nr_make_new(sk)) == NULL) {
nr_transmit_refusal(skb, 0);
if (sk)
Index: linux-net/net/rose/af_rose.c
===================================================================
--- linux-net.orig/net/rose/af_rose.c 2006-06-30 14:49:03.000000000 +0100
+++ linux-net/net/rose/af_rose.c 2006-06-30 15:11:53.000000000 +0100
@@ -948,7 +948,7 @@ int rose_rx_call_request(struct sk_buff
/*
* We can't accept the Call Request.
*/
- if (sk == NULL || sk_acceptq_is_full(sk) ||
+ if (sk == NULL || sk->sk_ack_backlog == sk->sk_max_ack_backlog ||
(make = rose_make_new(sk)) == NULL) {
rose_transmit_clear_request(neigh, lci, ROSE_NETWORK_CONGESTION, 120);
return 0;
Index: linux-net/net/sctp/sm_statefuns.c
===================================================================
--- linux-net.orig/net/sctp/sm_statefuns.c 2006-06-29 17:11:33.000000000 +0100
+++ linux-net/net/sctp/sm_statefuns.c 2006-06-30 15:11:53.000000000 +0100
@@ -282,7 +282,7 @@ sctp_disposition_t sctp_sf_do_5_1B_init(
*/
if (!sctp_sstate(sk, LISTENING) ||
(sctp_style(sk, TCP) &&
- sk_acceptq_is_full(sk)))
+ (sk->sk_ack_backlog >= sk->sk_max_ack_backlog)))
return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
Index: linux-net/net/x25/af_x25.c
===================================================================
--- linux-net.orig/net/x25/af_x25.c 2006-06-29 17:11:33.000000000 +0100
+++ linux-net/net/x25/af_x25.c 2006-06-30 15:11:53.000000000 +0100
@@ -879,7 +879,7 @@ int x25_rx_call_request(struct sk_buff *
/*
* We can't accept the Call Request.
*/
- if (sk == NULL || sk_acceptq_is_full(sk))
+ if (sk == NULL || sk->sk_ack_backlog == sk->sk_max_ack_backlog)
goto out_clear_request;
/*
next reply other threads:[~2006-06-30 14:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-30 14:29 Ralf Baechle [this message]
2006-07-04 2:34 ` Off by one buglets David Miller
2006-07-31 22:28 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060630142901.GA13898@linux-mips.org \
--to=ralf@linux-mips.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).