From mboxrd@z Thu Jan 1 00:00:00 1970 Received: by passt.top (Postfix, from userid 1000) id 0ACB25A0267; Mon, 10 Oct 2022 09:53:11 +0200 (CEST) From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH] packet: Fix off-by-one in packet_get_do() sanity checks Date: Mon, 10 Oct 2022 09:53:11 +0200 Message-Id: <20221010075311.824692-1-sbrivio@redhat.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: TBM3ETHXCWHYBDIEMWYMZDDHQVUYTDTQ X-Message-ID-Hash: TBM3ETHXCWHYBDIEMWYMZDDHQVUYTDTQ X-MailFrom: sbrivio@passt.top X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Laurent Vivier X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: <> Archived-At: List-Archive: <> List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: An n-sized pool, or a pool with n entries, doesn't include index n, only up to n - 1. I'm not entirely sure this sanity check actually covers any practical case, but I spotted this while debugging a hang in tap4_handler() (possibly due to malformed sequence entries from qemu). Signed-off-by: Stefano Brivio --- packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packet.c b/packet.c index 3f82e84..d1ff998 100644 --- a/packet.c +++ b/packet.c @@ -87,7 +87,7 @@ void packet_add_do(struct pool *p, size_t len, const char *start, void *packet_get_do(const struct pool *p, size_t index, size_t offset, size_t len, size_t *left, const char *func, int line) { - if (index > p->size || index > p->count) { + if (index >= p->size || index >= p->count) { if (func) { trace("packet %lu from pool size: %lu, count: %lu, " "%s:%i", index, p->size, p->count, func, line); -- 2.35.1