From 9b11e7b0a70745eeab66b5620b24c8ccde036380 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Fri, 11 Aug 2017 13:56:07 +0000 Subject: Fix out-of-bounds read when looking up the flow-mod handler. Another case of the "C indexes start at 0" bug where ">" must be ">=": if (i >= nitems(foo)) return (NULL); else return (foo[i].handler); Coverity CID 1453340; Severity: Major OK millert@ goda@ --- sys/net/switchofp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/net') diff --git a/sys/net/switchofp.c b/sys/net/switchofp.c index e6321a517b2..c9da7d77c74 100644 --- a/sys/net/switchofp.c +++ b/sys/net/switchofp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: switchofp.c,v 1.68 2017/08/11 13:55:09 reyk Exp $ */ +/* $OpenBSD: switchofp.c,v 1.69 2017/08/11 13:56:06 reyk Exp $ */ /* * Copyright (c) 2016 Kazuya GODA @@ -5346,7 +5346,7 @@ swofp_flow_mod_cmd_delete_strict(struct switch_softc *sc, struct mbuf *m) ofp_msg_handler * swofp_flow_mod_lookup_handler(uint8_t cmd) { - if (cmd > nitems(ofp_flow_mod_table)) + if (cmd >= nitems(ofp_flow_mod_table)) return (NULL); else return (&ofp_flow_mod_table[cmd].ofm_cmd_handler); -- cgit v1.2.3