On Mon, Mar 12, 2018 at 04:58:38PM -0700, Joe Perches wrote:
> On Mon, 2018-03-12 at 18:14 -0500, Gustavo A. R. Silva wrote:
> > In preparation to enabling -Wvla, remove VLA and replace it
> > with dynamic memory allocation.
> >
> > From a security viewpoint, the use of Variable Length Arrays can be
> > a vector for stack overflow attacks. Also, in general, as the code
> > evolves it is easy to lose track of how big a VLA can get. Thus, we
> > can end up having segfaults that are hard to debug.
> >
> > Also, fixed as part of the directive to remove all VLAs from
> []
> > diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
> []
> > @@ -51,19 +51,27 @@ ctnl_timeout_parse_policy(void *timeouts,
> > const struct nf_conntrack_l4proto *l4proto,
> > struct net *net, const struct nlattr *attr)
> > {
> > + struct nlattr **tb;
> > int ret = 0;
> >
> > - if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) {
> > - struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1];
> > + if (!l4proto->ctnl_timeout.nlattr_to_obj)
> > + return 0;
>
> Why not
> if unlikely(!...)
This is control plane code - not packet path - I think we should just
let the compiler decide on this one, not really need to provide an
explicit hint here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
