[PATCH 2/2] net: bcmasp: Sanity check is off by one

From: Justin Chen
Date: Thu Feb 15 2024 - 13:32:12 EST

Next message: Catalin Marinas: "Re: [PATCH v6 04/18] arm64/mm: Convert pte_next_pfn() to pte_advance_pfn()"
Previous message: Justin Chen: "[PATCH 1/2] net: bcmasp: Indicate MAC is in charge of PHY PM"
Next in thread: Florian Fainelli: "Re: [PATCH 2/2] net: bcmasp: Sanity check is off by one"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A sanity check for OOB write is off by one leading to a false positive
when the array is full.

Fixes: 9b90aca97f6d ("net: ethernet: bcmasp: fix possible OOB write in bcmasp_netfilt_get_all_active()")
Signed-off-by: Justin Chen <justin.chen@xxxxxxxxxxxx>
---
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/asp2/bcmasp.c b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
index 29b04a274d07..80245c65cc90 100644
--- a/drivers/net/ethernet/broadcom/asp2/bcmasp.c
+++ b/drivers/net/ethernet/broadcom/asp2/bcmasp.c
@@ -535,9 +535,6 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs,
int j = 0, i;

for (i = 0; i < NUM_NET_FILTERS; i++) {
- if (j == *rule_cnt)
- return -EMSGSIZE;
-
if (!priv->net_filters[i].claimed ||
priv->net_filters[i].port != intf->port)
continue;
@@ -547,6 +544,9 @@ int bcmasp_netfilt_get_all_active(struct bcmasp_intf *intf, u32 *rule_locs,
priv->net_filters[i - 1].wake_filter)
continue;

+ if (j == *rule_cnt)
+ return -EMSGSIZE;
+
rule_locs[j++] = priv->net_filters[i].fs.location;
}

--
2.34.1

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Next message: Catalin Marinas: "Re: [PATCH v6 04/18] arm64/mm: Convert pte_next_pfn() to pte_advance_pfn()"
Previous message: Justin Chen: "[PATCH 1/2] net: bcmasp: Indicate MAC is in charge of PHY PM"
Next in thread: Florian Fainelli: "Re: [PATCH 2/2] net: bcmasp: Sanity check is off by one"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]