Reported by David but also by Coverity (CWE-119): In conf_ports: Out-of-bounds access to a buffer ...not in practice, because the allocation size is rounded up anyway, but not nice either. Reported-by: David Gibson <david(a)gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio(a)redhat.com> --- conf.c | 2 +- tcp.h | 4 ++-- udp.h | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf.c b/conf.c index d80233c..7ecfa1e 100644 --- a/conf.c +++ b/conf.c @@ -127,8 +127,8 @@ static int conf_ports(struct ctx *c, char optname, const char *optarg, { int start_src, end_src, start_dst, end_dst, exclude_only = 1, i, port; char addr_buf[sizeof(struct in6_addr)] = { 0 }, *addr = addr_buf; + uint8_t *map, exclude[DIV_ROUND_UP(USHRT_MAX, 8)] = { 0 }; void (*remap)(in_port_t port, in_port_t delta); - uint8_t *map, exclude[USHRT_MAX / 8] = { 0 }; char buf[BUFSIZ], *sep, *spec, *p; sa_family_t af = AF_UNSPEC; diff --git a/tcp.h b/tcp.h index 7b720c1..6431b75 100644 --- a/tcp.h +++ b/tcp.h @@ -69,9 +69,9 @@ struct tcp_ctx { uint64_t hash_secret[2]; int conn_count; int splice_conn_count; - uint8_t port_to_tap [USHRT_MAX / 8]; + uint8_t port_to_tap [DIV_ROUND_UP(USHRT_MAX, 8)]; int init_detect_ports; - uint8_t port_to_init [USHRT_MAX / 8]; + uint8_t port_to_init [DIV_ROUND_UP(USHRT_MAX, 8)]; int ns_detect_ports; struct timespec timer_run; #ifdef HAS_SND_WND diff --git a/udp.h b/udp.h index f16fe5e..8f82842 100644 --- a/udp.h +++ b/udp.h @@ -53,9 +53,9 @@ union udp_epoll_ref { * @timer_run: Timestamp of most recent timer run */ struct udp_ctx { - uint8_t port_to_tap [USHRT_MAX / 8]; + uint8_t port_to_tap [DIV_ROUND_UP(USHRT_MAX, 8)]; int init_detect_ports; - uint8_t port_to_init [USHRT_MAX / 8]; + uint8_t port_to_init [DIV_ROUND_UP(USHRT_MAX, 8)]; int ns_detect_ports; struct timespec timer_run; }; -- 2.35.1