From mboxrd@z Thu Jan 1 00:00:00 1970 From: Shannon Nelson Subject: Re: [PATCH][next] netdevsim: fix sa_idx out of bounds check Date: Sun, 1 Jul 2018 12:21:17 -0700 Message-ID: <8bfbcc6a-eed8-c5fd-17a9-35fcf5f94b57@oracle.com> References: <20180630203924.5121-1-colin.king@canonical.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org To: Colin King , Jakub Kicinski , "David S . Miller" , netdev@vger.kernel.org Return-path: Received: from userp2130.oracle.com ([156.151.31.86]:41082 "EHLO userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752433AbeGATV3 (ORCPT ); Sun, 1 Jul 2018 15:21:29 -0400 In-Reply-To: <20180630203924.5121-1-colin.king@canonical.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 6/30/2018 1:39 PM, Colin King wrote: > From: Colin Ian King > > Currently if sa_idx is equal to NSIM_IPSEC_MAX_SA_COUNT then > an out-of-bounds read on ipsec->sa will occur. Fix the > incorrect bounds check by using >= rather than >. > > Detected by CoverityScan, CID#1470226 ("Out-of-bounds-read") > > Fixes: 7699353da875 ("netdevsim: add ipsec offload testing") > Signed-off-by: Colin Ian King > --- > drivers/net/netdevsim/ipsec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c > index ceff544510b9..2dcf6cc269d0 100644 > --- a/drivers/net/netdevsim/ipsec.c > +++ b/drivers/net/netdevsim/ipsec.c > @@ -249,7 +249,7 @@ bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) > } > > sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; > - if (unlikely(sa_idx > NSIM_IPSEC_MAX_SA_COUNT)) { > + if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) { > netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n", > sa_idx, NSIM_IPSEC_MAX_SA_COUNT); > return false; > Good catch - thanks! Acked-by: Shannon Nelson