Hello Pablo Neira Ayuso,
The patch 51b0a5d8c21a: "netfilter: nft_reject: introduce icmp code
abstraction for inet and bridge" from Sep 26, 2014, leads to the
following static checker warning:
net/netfilter/nft_reject.c:87 nft_reject_icmp_code()
error: buffer overflow 'icmp_code_v4' 5 <= 5
net/netfilter/nft_reject.c
75 static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX] = {
76 [NFT_REJECT_ICMPX_NO_ROUTE] = ICMP_NET_UNREACH,
77 [NFT_REJECT_ICMPX_PORT_UNREACH] = ICMP_PORT_UNREACH,
78 [NFT_REJECT_ICMPX_HOST_UNREACH] = ICMP_HOST_UNREACH,
79 [NFT_REJECT_ICMPX_ADMIN_PROHIBITED] = ICMP_PKT_FILTERED,
80 };
81
82 int nft_reject_icmp_code(u8 code)
83 {
84 if (code > NFT_REJECT_ICMPX_MAX)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Obviously this should be >= instead of >, but I also had a question
about NFT_REJECT_ICMPX_MAX.
#define NFT_REJECT_ICMPX_MAX (__NFT_REJECT_ICMPX_MAX + 1)
__NFT_REJECT_ICMPX_MAX is already plus one so it feels like
NFT_REJECT_ICMPX_MAX is one higher than needed. (But it also has been a
long day and I'm no longer sure I know how to add 1 + 4).
85 return -EINVAL;
86
87 return icmp_code_v4[code];
88 }
89
90 EXPORT_SYMBOL_GPL(nft_reject_icmp_code);
91
92
93 static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX] = {
94 [NFT_REJECT_ICMPX_NO_ROUTE] = ICMPV6_NOROUTE,
95 [NFT_REJECT_ICMPX_PORT_UNREACH] = ICMPV6_PORT_UNREACH,
96 [NFT_REJECT_ICMPX_HOST_UNREACH] = ICMPV6_ADDR_UNREACH,
97 [NFT_REJECT_ICMPX_ADMIN_PROHIBITED] = ICMPV6_ADM_PROHIBITED,
98 };
99
100 int nft_reject_icmpv6_code(u8 code)
101 {
102 if (code > NFT_REJECT_ICMPX_MAX)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Same thing.
103 return -EINVAL;
104
105 return icmp_code_v6[code];
106 }
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
