cls_u32: signedness bug

skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-04 02:28:36 +00:00 · 2010-10-04 02:28:36 +00:00 · 4e18b3edf7
parent 51e97a12be
commit 4e18b3edf7
1 changed files with 1 additions and 1 deletions
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@ -137,7 +137,7 @@ next_knode:
 			int toff = off + key->off + (off2 & key->offmask);
 			__be32 *data, _data;

-			if (skb_headroom(skb) + toff < 0)
+			if (skb_headroom(skb) + toff > INT_MAX)
 				goto out;

 			data = skb_header_pointer(skb, toff, 4, &_data);