From mboxrd@z Thu Jan 1 00:00:00 1970 From: Colin King Subject: [PATCH][next] netdevsim: fix sa_idx out of bounds check Date: Sat, 30 Jun 2018 21:39:24 +0100 Message-ID: <20180630203924.5121-1-colin.king@canonical.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org To: Jakub Kicinski , "David S . Miller" , netdev@vger.kernel.org Return-path: Received: from youngberry.canonical.com ([91.189.89.112]:35154 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751466AbeF3Uj2 (ORCPT ); Sat, 30 Jun 2018 16:39:28 -0400 Sender: netdev-owner@vger.kernel.org List-ID: From: Colin Ian King Currently if sa_idx is equal to NSIM_IPSEC_MAX_SA_COUNT then an out-of-bounds read on ipsec->sa will occur. Fix the incorrect bounds check by using >= rather than >. Detected by CoverityScan, CID#1470226 ("Out-of-bounds-read") Fixes: 7699353da875 ("netdevsim: add ipsec offload testing") Signed-off-by: Colin Ian King --- drivers/net/netdevsim/ipsec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c index ceff544510b9..2dcf6cc269d0 100644 --- a/drivers/net/netdevsim/ipsec.c +++ b/drivers/net/netdevsim/ipsec.c @@ -249,7 +249,7 @@ bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) } sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; - if (unlikely(sa_idx > NSIM_IPSEC_MAX_SA_COUNT)) { + if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) { netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n", sa_idx, NSIM_IPSEC_MAX_SA_COUNT); return false; -- 2.17.1