Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > + next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg; > > + > > + /* Can't happen: nft_validate_register_load() should have failed */ > > + if (WARN_ON_ONCE(next_register > NFT_REG32_NUM)) > > + return -EINVAL; > > + > > + /* find first register that did not see an earlier store. */ > > + invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg); > > Is this assuming that register allocation from userspace is done secuencially? No, that would be a bug. Each set bit represents a register, if the bit is 1, the register saw a store. The above is the load check: load is from register "reg", and we check the first reg that did not see a store (is 0), starting from reg. The result (register with undefined content) needs to be larger than next_register, which is the register coming after the current access (can be NFT_REG32_NUM, in that case no furhter registers exist and access is ok). > > + /* invalid register within the range that we're loading from? */ > > + if (invalid_reg < next_register) > > + return -ENODATA; > > + This means that in range the relevant access range [reg,next_reg) the is at least on register that did not see a store.
