re: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* re: netfilter: nft_reject: introduce icmp code abstraction for inet and bridge
@ 2014-10-07 14:26 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-10-07 14:26 UTC (permalink / raw)
  To: pablo; +Cc: netfilter-devel

Hello Pablo Neira Ayuso,

The patch 51b0a5d8c21a: "netfilter: nft_reject: introduce icmp code
abstraction for inet and bridge" from Sep 26, 2014, leads to the
following static checker warning:

	net/netfilter/nft_reject.c:87 nft_reject_icmp_code()
	error: buffer overflow 'icmp_code_v4' 5 <= 5

net/netfilter/nft_reject.c
    75  static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX] = {
    76          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMP_NET_UNREACH,
    77          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMP_PORT_UNREACH,
    78          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMP_HOST_UNREACH,
    79          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMP_PKT_FILTERED,
    80  };
    81  
    82  int nft_reject_icmp_code(u8 code)
    83  {
    84          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Obviously this should be >= instead of >, but I also had a question
about NFT_REJECT_ICMPX_MAX.

#define NFT_REJECT_ICMPX_MAX   (__NFT_REJECT_ICMPX_MAX + 1)

__NFT_REJECT_ICMPX_MAX is already plus one so it feels like
NFT_REJECT_ICMPX_MAX is one higher than needed.  (But it also has been a
long day and I'm no longer sure I know how to add 1 + 4).

    85                  return -EINVAL;
    86  
    87          return icmp_code_v4[code];
    88  }
    89  
    90  EXPORT_SYMBOL_GPL(nft_reject_icmp_code);
    91  
    92  
    93  static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX] = {
    94          [NFT_REJECT_ICMPX_NO_ROUTE]             = ICMPV6_NOROUTE,
    95          [NFT_REJECT_ICMPX_PORT_UNREACH]         = ICMPV6_PORT_UNREACH,
    96          [NFT_REJECT_ICMPX_HOST_UNREACH]         = ICMPV6_ADDR_UNREACH,
    97          [NFT_REJECT_ICMPX_ADMIN_PROHIBITED]     = ICMPV6_ADM_PROHIBITED,
    98  };
    99  
   100  int nft_reject_icmpv6_code(u8 code)
   101  {
   102          if (code > NFT_REJECT_ICMPX_MAX)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same thing.

   103                  return -EINVAL;
   104  
   105          return icmp_code_v6[code];
   106  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2014-10-07 14:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-07 14:26 netfilter: nft_reject: introduce icmp code abstraction for inet and bridge Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).