From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 7 Dec 2012 01:10:46 +0000 (+0000)
Subject: bridge: make buffer larger in br_setlink()
X-Git-Tag: upstream/snapshot3+hdmi~6096^2~37
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2062cc20d0a8e370163efccbee555347e17100c0;p=platform%2Fadaptation%2Frenesas_rcar%2Frenesas_kernel.git

bridge: make buffer larger in br_setlink()

We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need
IFLA_BRPORT_MAX + 1 elements.  Also Smatch complains that we read past
the end of the array when in br_set_port_flag() when it's called with
IFLA_BRPORT_FAST_LEAVE.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 850b7d1..dead9df 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -239,7 +239,7 @@ int br_setlink(struct net_device *dev, struct nlmsghdr *nlh)
 	struct ifinfomsg *ifm;
 	struct nlattr *protinfo;
 	struct net_bridge_port *p;
-	struct nlattr *tb[IFLA_BRPORT_MAX];
+	struct nlattr *tb[IFLA_BRPORT_MAX + 1];
 	int err;
 
 	ifm = nlmsg_data(nlh);