'len' is unsigned of type size_t and can't be negative.
Signed-off-by: Nicolas Kaiser <[email protected]>
---
drivers/net/macvtap.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index 5933621..fc27a99 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -528,8 +528,9 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q,
vnet_hdr_len = q->vnet_hdr_sz;
err = -EINVAL;
- if ((len -= vnet_hdr_len) < 0)
+ if (len < vnet_hdr_len)
goto err;
+ len -= vnet_hdr_len;
err = memcpy_fromiovecend((void *)&vnet_hdr, iv, 0,
sizeof(vnet_hdr));
--
1.7.3.4
On Saturday 05 March 2011, Nicolas Kaiser wrote:
> 'len' is unsigned of type size_t and can't be negative.
>
> Signed-off-by: Nicolas Kaiser <[email protected]>
Acked-by: Arnd Bergmann <[email protected]>
I think it's harmless: the worst thing that can happen is
macvtap_alloc_skb() failing with ENOMEM when it gets a
large argument, but we could have it in -stable just to
be sure.
Arnd
From: Arnd Bergmann <[email protected]>
Date: Mon, 7 Mar 2011 10:59:04 +0100
> On Saturday 05 March 2011, Nicolas Kaiser wrote:
>> 'len' is unsigned of type size_t and can't be negative.
>>
>> Signed-off-by: Nicolas Kaiser <[email protected]>
>
> Acked-by: Arnd Bergmann <[email protected]>
>
> I think it's harmless: the worst thing that can happen is
> macvtap_alloc_skb() failing with ENOMEM when it gets a
> large argument, but we could have it in -stable just to
> be sure.
I'm just going to add it to net-2.6
I verified that gcc is not generating this test at all
currently, so putting this into -stable is quite pointless.