On Thursday 2010-11-11 18:47, Pablo Neira Ayuso wrote: > >mnl_attr_for_each() in your patch is OK, sorry. But, here: > >+#define mnl_attr_for_each_nested(attr, nest) \ >+ for ((attr) = mnl_attr_get_payload(nest); \ >+ mnl_attr_ok((attr), mnl_attr_get_payload(attr) + >mnl_attr_get_payload_len(attr) - (void *)(attr)); \ >+ (attr) = mnl_attr_next(attr)) > >Once we iterate over the last attribute in the nest, we iterate again to >check if there's any next. Then, mnl_attr_get_payload may access >attr->len for an attribute that doesn't belong the nest or (if the nest >is in the end of the message) an out of bound message access. Indeed. Should have been mnl_attr_ok((attr), mnl_attr_get_payload(nest) + mnl_attr_get_payload_len(nest) - (void *)(attr)) >I think that we can add mnl_attr_get_payload_tail to make tail minus >attr, like in mnl_attr_for_each(). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
