[PATCH] fix off-by-one in rtnl_act_parse()
Thomas Graf
tgraf at suug.ch
Fri Mar 28 09:52:03 EDT 2014
On 03/28/14 at 02:17pm, Thomas Haller wrote:
> On Thu, 2014-03-27 at 08:28 +0000, Thomas Graf wrote:
> > On 03/26/14 at 10:43pm, Cong Wang wrote:
> > > Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
> > > ---
> > > lib/route/act.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/lib/route/act.c b/lib/route/act.c
> > > index b908b17..23f9393 100644
> >
> > LGTM
> >
> > Acked-by: Thomas Graf <tgraf at suug.ch>
> >
>
> Hi,
>
> Cong, why do you think that libnl should shift the index "i" by one?
> Sorry, I just don't see it :)
>
>
> kernel also uses similar loops:
>
> $ git grep -n for.*TCA_ACT_MAX_PRIO
> net/sched/act_api.c:593: for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
> net/sched/act_api.c:871: for (i = 1; i <= TCA_ACT_MAX_PRIO && tb[i]; i++) {
Looking at the dumper:
int err = 0, index = -1, i = 0, s_i = 0, n_i = 0;
struct nlattr *nest;
spin_lock_bh(&hinfo->lock);
s_i = cb->args[0];
for (i = 0; i < (hinfo->hmask + 1); i++) {
head = &hinfo->htab[tcf_hash(i, hinfo->hmask)];
hlist_for_each_entry_rcu(p, head, tcfc_head) {
index++;
if (index < s_i)
continue;
a->priv = p;
a->order = n_i;
nest = nla_nest_start(skb, a->order);
if (nest == NULL)
goto nla_put_failure;
err = tcf_action_dump_1(skb, a, 0, 0);
if (err < 0) {
index--;
nlmsg_trim(skb, nest);
goto done;
}
nla_nest_end(skb, nest);
n_i++;
if (n_i >= TCA_ACT_MAX_PRIO)
goto done;
}
}
It does use 0..TCA_ACT_MAX_PRIO
More information about the libnl
mailing list