Hi,
On Mon, Dec 09, 2024 at 09:49:18PM +0100, Karol Przybylski wrote:
> The comparison seclen >= 0 in net/netfilter/nfnetlink_queue.c is redundant because seclen is an unsigned value, and such comparisons are always true.
>
> This patch removes the unnecessary comparison replacing it with just 'greater than'
>
> Discovered in coverity, CID 1602243
>
> Signed-off-by: Karol Przybylski <karprzy7@xxxxxxxxx>
> ---
> net/netfilter/nfnetlink_queue.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 5110f29b2..eacb34ffb 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -643,7 +643,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
>
> if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
> seclen = nfqnl_get_sk_secctx(entskb, &ctx);
> - if (seclen >= 0)
> + if (seclen > 0)
What tree are you using? I don't see this code in net-next.git
> size += nla_total_size(seclen);
> }
>
> @@ -810,7 +810,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> }
>
> nlh->nlmsg_len = skb->len;
> - if (seclen >= 0)
> + if (seclen > 0)
> security_release_secctx(&ctx);
> return skb;
>
> @@ -819,7 +819,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
> kfree_skb(skb);
> net_err_ratelimited("nf_queue: error creating packet message\n");
> nlmsg_failure:
> - if (seclen >= 0)
> + if (seclen > 0)
> security_release_secctx(&ctx);
> return NULL;
> }
> --
> 2.34.1
>
