On Thu, 2024-09-12 at 09:20 +0800, Hou Tao wrote:
[...]
> > > @@ -3592,6 +3592,12 @@ static int btf_find_nested_struct(const struct btf *btf, const struct btf_type *
> > > info[i].off += off;
> > >
> > > if (nelems > 1) {
> > > + /* The type of struct size or variable size is u32,
> > > + * so the multiplication will not overflow.
> > > + */
> > > + if (ret * nelems > info_cnt)
> > > + return -E2BIG;
> > > +
> > > err = btf_repeat_fields(info, ret, nelems - 1, t->size);
> > > if (err == 0)
> > > ret *= nelems;
> >
> > btf_repeat_fields(struct btf_field_info *info,
> > u32 field_cnt, u32 repeat_cnt, u32 elem_size)
> >
> > copies field "field_cnt * repeat_cnt" times,
> > in this case field_cnt == ret, repeat_cnt == nelems - 1,
> > should the check be "ret * (nelems - 1) > info_cnt"?
>
> No. The number of available btf_field_info is info_cnt,
> btf_find_struct_field() has already used ret fields, and there are still
> ret * (nelems - 1) fields waiting for repetition, so checking ret *
> nelems against info_cnt is correct.
Please bear with me. Here is btf_repeat_fields():
static int btf_repeat_fields(struct btf_field_info *info,
u32 field_cnt, u32 repeat_cnt, u32 elem_size)
{
u32 i, j;
u32 cur;
...
cur = field_cnt;
for (i = 0; i < repeat_cnt; i++) {
...
for (j = 0; j < field_cnt; j++)
info[cur++].off += (i + 1) * elem_size;
}
...
}
The range for 'cur' is [field_cnt .. field_cnt * repeat_cnt].
Meaning that at-least 'field_cnt * repeat_cnt' entries are necessary
in the 'info' array.
Given parameters passed to the function, this is 'ret * (nelems - 1)'.
What do I miss?
