From: Jerry Snitselaar Date: Mon, 22 Jul 2013 19:01:58 +0000 (-0700) Subject: fib_trie: potential out of bounds access in trie_show_stats() X-Git-Tag: firefly_0821_release~176^2~5618^2~29 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f585a991e1d1612265f0d4e812f77e40dd54975b;p=firefly-linux-kernel-4.4.55.git fib_trie: potential out of bounds access in trie_show_stats() With the <= max condition in the for loop, it will be always go 1 element further than needed. If the condition for the while loop is never met, then max is MAX_STAT_DEPTH, and for loop will walk off the end of nodesizes[]. Signed-off-by: Jerry Snitselaar Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller --- diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c index 49616fed9340..108a1e9c9eac 100644 --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c @@ -2133,7 +2133,7 @@ static void trie_show_stats(struct seq_file *seq, struct trie_stat *stat) max--; pointers = 0; - for (i = 1; i <= max; i++) + for (i = 1; i < max; i++) if (stat->nodesizes[i] != 0) { seq_printf(seq, " %u: %u", i, stat->nodesizes[i]); pointers += (1<nodesizes[i];