netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: re: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
Date: Tue, 7 Oct 2014 17:26:51 +0300	[thread overview]
Message-ID: <20141007142651.GA29598@mwanda> (raw)

Hello Pablo Neira Ayuso,

The patch 51b0a5d8c21a: "netfilter: nft_reject: introduce icmp code
abstraction for inet and bridge" from Sep 26, 2014, leads to the
following static checker warning:

	net/netfilter/nft_reject.c:87 nft_reject_icmp_code()
	error: buffer overflow 'icmp_code_v4' 5 <= 5

net/netfilter/nft_reject.c
    75  static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX] = {
    76          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMP_NET_UNREACH,
    77          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMP_PORT_UNREACH,
    78          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMP_HOST_UNREACH,
    79          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMP_PKT_FILTERED,
    80  };
    81  
    82  int nft_reject_icmp_code(u8 code)
    83  {
    84          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Obviously this should be >= instead of >, but I also had a question
about NFT_REJECT_ICMPX_MAX.

#define NFT_REJECT_ICMPX_MAX   (__NFT_REJECT_ICMPX_MAX + 1)

__NFT_REJECT_ICMPX_MAX is already plus one so it feels like
NFT_REJECT_ICMPX_MAX is one higher than needed.  (But it also has been a
long day and I'm no longer sure I know how to add 1 + 4).

    85                  return -EINVAL;
    86  
    87          return icmp_code_v4[code];
    88  }
    89  
    90  EXPORT_SYMBOL_GPL(nft_reject_icmp_code);
    91  
    92  
    93  static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX] = {
    94          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMPV6_NOROUTE,
    95          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMPV6_PORT_UNREACH,
    96          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMPV6_ADDR_UNREACH,
    97          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMPV6_ADM_PROHIBITED,
    98  };
    99  
   100  int nft_reject_icmpv6_code(u8 code)
   101  {
   102          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same thing.

   103                  return -EINVAL;
   104  
   105          return icmp_code_v6[code];
   106  }

regards,
dan carpenter

                 reply	other threads:[~2014-10-07 14:27 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141007142651.GA29598@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).