[PATCH] Trivial fix for out of bounds array access in xfrm4_policy_check

From: Catalin(ux aka Dino) BOIE
Date: Tue Sep 07 2004 - 05:37:57 EST

Next message: Alan Cox: "Re: [BUG] r200 dri driver deadlocks"
Previous message: Michael S. Tsirkin: "Re: [discuss] f_ops flag to speed up compatible ioctls in linux kernel"
Next in thread: Herbert Xu: "Re: [PATCH] Trivial fix for out of bounds array access in xfrm4_policy_check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

Coverity found a bug in accessing xfrm4_policy_check using XFRM_POLICY_FWD (=2) as index in sk->sk_policy.

sk->sk_policy[] is defined in sock.h as:

struct xfrm_policy *sk_policy[2];

Attached is the fix.

http://linuxbugs.coverity.com/external/editbugparent.php?viewbugid=2138&checkers%5B%5D=all&status%5B%5D=BUG&status%5B%5D=UNINSPECTED&status%5B%5D=UNKNOWN&status%5B%5D=DON%27T%20CARE&status%5B%5D=PENDING&product%5B%5D=all&component%5B%5D=all&file=&fn=&sortby=reverse_rank&before=&after=&curpage=2&bugid=-1&comment=&reason=

---
Catalin(ux aka Dino) BOIE
catab at deuroconsult.ro
http://kernel.umbrella.ro/--- linux/include/net/sock.h 2004-09-07 13:13:31.000000000 +0300
+++ mylinux/include/net/sock.h 2004-09-07 13:14:36.000000000 +0300
@@ -201,7 +201,7 @@ struct sock {
wait_queue_head_t *sk_sleep;
struct dst_entry *sk_dst_cache;
rwlock_t sk_dst_lock;
- struct xfrm_policy *sk_policy[2];
+ struct xfrm_policy *sk_policy[3];
atomic_t sk_rmem_alloc;
struct sk_buff_head sk_receive_queue;
atomic_t sk_wmem_alloc;

Next message: Alan Cox: "Re: [BUG] r200 dri driver deadlocks"
Previous message: Michael S. Tsirkin: "Re: [discuss] f_ops flag to speed up compatible ioctls in linux kernel"
Next in thread: Herbert Xu: "Re: [PATCH] Trivial fix for out of bounds array access in xfrm4_policy_check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]