On Wed, Aug 09, 2023 at 11:23:42AM +0200, Laurent Vivier wrote:
> The number of items in pool_l4_t is defined to UIO_MAXIOV,
> not TAP_SEQS. TAP_SEQS is the number of the messages.
> 
> Fix the value used to compare seq->p.count with.
> 
> Fix: bb708111833e ("treewide: Packet abstraction with mandatory boundary checks")
> Signed-off-by: Laurent Vivier <lvivier@redhat.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  tap.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/tap.c b/tap.c
> index e034f9468267..69bd19a2a91a 100644
> --- a/tap.c
> +++ b/tap.c
> @@ -678,7 +678,7 @@ resume:
>  		seq->daddr.s_addr	= iph->daddr;			\
>  	} while (0)
>  
> -		if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < TAP_SEQS)
> +		if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < UIO_MAXIOV)
>  			goto append;
>  
>  		if (seq_count == TAP_SEQS)
> @@ -686,7 +686,7 @@ resume:
>  
>  		for (seq = tap4_l4 + seq_count - 1; seq >= tap4_l4; seq--) {
>  			if (L4_MATCH(iph, uh, seq)) {
> -				if (seq->p.count >= TAP_SEQS)
> +				if (seq->p.count >= UIO_MAXIOV)
>  					seq = NULL;
>  				break;
>  			}
> @@ -840,7 +840,7 @@ resume:
>  	} while (0)
>  
>  		if (seq && L4_MATCH(ip6h, proto, uh, seq) &&
> -		    seq->p.count < TAP_SEQS)
> +		    seq->p.count < UIO_MAXIOV)
>  			goto append;
>  
>  		if (seq_count == TAP_SEQS)
> @@ -848,7 +848,7 @@ resume:
>  
>  		for (seq = tap6_l4 + seq_count - 1; seq >= tap6_l4; seq--) {
>  			if (L4_MATCH(ip6h, proto, uh, seq)) {
> -				if (seq->p.count >= TAP_SEQS)
> +				if (seq->p.count >= UIO_MAXIOV)
>  					seq = NULL;
>  				break;
>  			}

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson