cls_u32: signedness bug

skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: N Dan Carpenter <error27@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

cls_u32: signedness bug
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: N Dan Carpenter <error27@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
4e18b3ed · Dan Carpenter · David S. Miller · 51e97a12 · 4e18b3ed
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

net/sched/cls_u32.c net/sched/cls_u32.c +1 -1

未找到文件。
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -137,7 +137,7 @@ static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_re
 			int toff = off + key->off + (off2 & key->offmask);
 			__be32 *data, _data;
-			if (skb_headroom(skb) + toff < 0)
+			if (skb_headroom(skb) + toff > INT_MAX)
 				goto out;
 			data = skb_header_pointer(skb, toff, 4, &_data);