On 8/9/23 11:23, Laurent Vivier wrote:The number of items in pool_l4_t is defined to UIO_MAXIOV, not TAP_SEQS. TAP_SEQS is the number of the messages. Fix the value used to compare seq->p.count with. Fix: bb708111833e ("treewide: Packet abstraction with mandatory boundary checks")In fact, it actually fixes: Fix: 37c228ada88b ("tap, tcp, udp, icmp: Cut down on some oversized buffers") that replaces UIO_MAXIOV by TAP_SEQS in the array declaration and didn't correclty update the code. Thanks, LaurentSigned-off-by: Laurent Vivier <lvivier(a)redhat.com> --- tap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tap.c b/tap.c index e034f9468267..69bd19a2a91a 100644 --- a/tap.c +++ b/tap.c @@ -678,7 +678,7 @@ resume: seq->daddr.s_addr = iph->daddr; \ } while (0) - if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < TAP_SEQS) + if (seq && L4_MATCH(iph, uh, seq) && seq->p.count < UIO_MAXIOV) goto append; if (seq_count == TAP_SEQS) @@ -686,7 +686,7 @@ resume: for (seq = tap4_l4 + seq_count - 1; seq >= tap4_l4; seq--) { if (L4_MATCH(iph, uh, seq)) { - if (seq->p.count >= TAP_SEQS) + if (seq->p.count >= UIO_MAXIOV) seq = NULL; break; } @@ -840,7 +840,7 @@ resume: } while (0) if (seq && L4_MATCH(ip6h, proto, uh, seq) && - seq->p.count < TAP_SEQS) + seq->p.count < UIO_MAXIOV) goto append; if (seq_count == TAP_SEQS) @@ -848,7 +848,7 @@ resume: for (seq = tap6_l4 + seq_count - 1; seq >= tap6_l4; seq--) { if (L4_MATCH(ip6h, proto, uh, seq)) { - if (seq->p.count >= TAP_SEQS) + if (seq->p.count >= UIO_MAXIOV) seq = NULL; break; }