From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Carpenter Subject: [patch v2] bridge: make buffer larger in br_setlink() Date: Fri, 7 Dec 2012 14:10:46 +0300 Message-ID: <20121207111045.GA9676@elgon.mountain> References: <20121207093107.GA2996@casper.infradead.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Thomas Graf , netdev@vger.kernel.org, bridge@lists.linux-foundation.org, kernel-janitors@vger.kernel.org, "David S. Miller" To: Stephen Hemminger Return-path: Content-Disposition: inline In-Reply-To: <20121207093107.GA2996@casper.infradead.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: bridge-bounces@lists.linux-foundation.org Errors-To: bridge-bounces@lists.linux-foundation.org List-Id: netdev.vger.kernel.org We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past the end of the array when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. Signed-off-by: Dan Carpenter --- v2: Style tweak. Only needed in linux-next. diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index 850b7d1..cfc5cfe 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c @@ -239,7 +239,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh) struct ifinfomsg *ifm; struct nlattr *protinfo; struct net_bridge_port *p; - struct nlattr *tb[IFLA_BRPORT_MAX]; + struct nlattr *tb[IFLA_BRPORT_MAX + 1]; int err; ifm = nlmsg_data(nlh);