From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jakub Kicinski Subject: [PATCH bpf-next] netdevsim: fix overflow on the error path Date: Fri, 26 Jan 2018 19:50:00 -0800 Message-ID: <20180127035000.29962-1-jakub.kicinski@netronome.com> Cc: dan.carpenter@oracle.com, netdev@vger.kernel.org, oss-drivers@netronome.com, Jakub Kicinski To: daniel@iogearbox.net, alexei.starovoitov@gmail.com Return-path: Received: from mail-pg0-f67.google.com ([74.125.83.67]:46252 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751391AbeA0Duu (ORCPT ); Fri, 26 Jan 2018 22:50:50 -0500 Received: by mail-pg0-f67.google.com with SMTP id s9so1379708pgq.13 for ; Fri, 26 Jan 2018 19:50:49 -0800 (PST) Sender: netdev-owner@vger.kernel.org List-ID: Undo loop condition on the error path would cause the i counter to go below zero, if allocation failure happened with the first (i.e. 0th) element of the array. Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload") Reported-by: Dan Carpenter Signed-off-by: Jakub Kicinski --- drivers/net/netdevsim/bpf.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c index de73c1ff0939..75c25306d234 100644 --- a/drivers/net/netdevsim/bpf.c +++ b/drivers/net/netdevsim/bpf.c @@ -480,8 +480,7 @@ static int nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) { struct nsim_bpf_bound_map *nmap; - unsigned int i; - int err; + int i, err; if (WARN_ON(offmap->map.map_type != BPF_MAP_TYPE_ARRAY && offmap->map.map_type != BPF_MAP_TYPE_HASH)) @@ -518,7 +517,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap) return 0; err_free: - while (--i) { + while (--i >= 0) { kfree(nmap->entry[i].key); kfree(nmap->entry[i].value); } -- 2.15.1