cls_u32: signedness bug

skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d2: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: David S. Miller <[email protected]>
mgowda · Oct 5, 2010 · 4e18b3e · 4e18b3e
1 parent 51e97a1
commit 4e18b3e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
@@ -137,7 +137,7 @@ static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_re
 			int toff = off + key->off + (off2 & key->offmask);
 			__be32 *data, _data;
 
-			if (skb_headroom(skb) + toff < 0)
+			if (skb_headroom(skb) + toff > INT_MAX)
 				goto out;
 
 			data = skb_header_pointer(skb, toff, 4, &_data);