On Mon, Mar 12, 2018 at 04:58:38PM -0700, Joe Perches wrote:
> On Mon, 2018-03-12 at 18:14 -0500, Gustavo A. R. Silva wrote:
> > In preparation to enabling -Wvla, remove VLA and replace it
> > with dynamic memory allocation.
> > 
> > From a security viewpoint, the use of Variable Length Arrays can be
> > a vector for stack overflow attacks. Also, in general, as the code
> > evolves it is easy to lose track of how big a VLA can get. Thus, we
> > can end up having segfaults that are hard to debug.
> > 
> > Also, fixed as part of the directive to remove all VLAs from
> []
> > diff --git a/net/netfilter/nfnetlink_cttimeout.c 
> > b/net/netfilter/nfnetlink_cttimeout.c
> []
> > @@ -51,19 +51,27 @@ ctnl_timeout_parse_policy(void *timeouts,
> >                       const struct nf_conntrack_l4proto *l4proto,
> >                       struct net *net, const struct nlattr *attr)
> >  {
> > +   struct nlattr **tb;
> >     int ret = 0;
> >  
> > -   if (likely(l4proto->ctnl_timeout.nlattr_to_obj)) {
> > -           struct nlattr *tb[l4proto->ctnl_timeout.nlattr_max+1];
> > +   if (!l4proto->ctnl_timeout.nlattr_to_obj)
> > +           return 0;
> 
> Why not
>       if unlikely(!...)

This is control plane code - not packet path - I think we should just
let the compiler decide on this one, not really need to provide an
explicit hint here.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to