bridge: make buffer larger in br_setlink()

We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past the end of the array when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>

bridge: make buffer larger in br_setlink()
We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past the end of the array when in br_set_port_flag() when it's called with IFLA_BRPORT_FAST_LEAVE. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter · David S. Miller
1 parent 65d2897c0f
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/bridge/br_netlink.c
@@ -239,7 +239,7 @@
 	struct ifinfomsg *ifm;
 	struct nlattr *protinfo;
 	struct net_bridge_port *p;
-	struct nlattr *tb[IFLA_BRPORT_MAX];
+	struct nlattr *tb[IFLA_BRPORT_MAX + 1];
 	int err;
  
 	ifm = nlmsg_data(nlh);
...	...	@@ -239,7 +239,7 @@
239	239	struct ifinfomsg *ifm;
240	240	struct nlattr *protinfo;
241	241	struct net_bridge_port *p;
242		- struct nlattr *tb[IFLA_BRPORT_MAX];
	242	+ struct nlattr *tb[IFLA_BRPORT_MAX + 1];
243	243	int err;
244	244
245	245	ifm = nlmsg_data(nlh);