On 8/19/24 12:42 PM, Kuniyuki Iwashima wrote:
Smatch reported a possible off-by-one in tcp_validate_cookie().
However, it's false positive because the possible range of mssind is
limited from 0 to 3 by the preceding calculation.
mssind = (cookie & (3 << 6)) >> 6;
There's no real issue, but let's make Smatch happy to suppress the same
reports.
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Closes: https://lore.kernel.org/bpf/6ae12487-d3f1-488b-9514-af0dac96608f@stanley.mountain/
Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
---
tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
index 44ee0d037f95..36b842133033 100644
--- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
@@ -487,12 +487,12 @@ static int tcp_validate_cookie(struct tcp_syncookie *ctx)
mssind = (cookie & (3 << 6)) >> 6;
This should have bound the mssind.
if (ctx->ipv4) {
- if (mssind > ARRAY_SIZE(msstab4))
+ if (mssind >= ARRAY_SIZE(msstab4))
Does the verifier complain without this if check?
goto err;
ctx->attrs.mss = msstab4[mssind];
} else {
- if (mssind > ARRAY_SIZE(msstab6))
+ if (mssind >= ARRAY_SIZE(msstab6))
goto err;
ctx->attrs.mss = msstab6[mssind];
