re: netfilter: nf_tables: add compatibility layer for x_tables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Pablo Neira Ayuso,

The patch 0ca743a55991: "netfilter: nf_tables: add compatibility 
layer for x_tables" from Oct 14, 2013, leads to the following Smatch
warning: "net/netfilter/nft_compat.c:140 nft_parse_compat()
	 warn: signedness bug returning '(-34)'"

net/netfilter/nft_compat.c
   131  static u8 nft_parse_compat(const struct nlattr *attr, bool *inv)
   132  {
   133          struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
   134          u32 flags;
   135          int err;
   136  
   137          err = nla_parse_nested(tb, NFTA_RULE_COMPAT_MAX, attr,
   138                                 nft_rule_compat_policy);
   139          if (err < 0)
   140                  return err;
                        ^^^^^^^^^^
   141  
   142          if (!tb[NFTA_RULE_COMPAT_PROTO] || !tb[NFTA_RULE_COMPAT_FLAGS])
   143                  return -EINVAL;
                        ^^^^^^^^^^^^^^^
   144  
   145          flags = ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_FLAGS]));
   146          if (flags & ~NFT_RULE_COMPAT_F_MASK)
   147                  return -EINVAL;
                        ^^^^^^^^^^^^^^^

   148          if (flags & NFT_RULE_COMPAT_F_INV)
   149                  *inv = true;
   150  
   151          return ntohl(nla_get_be32(tb[NFTA_RULE_COMPAT_PROTO]));
   152  }

This function returns error codes but the return type is u8 so the error
codes are transformed into small positive values.  The callers don't
check the return.

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux