From: Dan Carpenter <error27@gmail.com>
Date: Mon, 4 Oct 2010 02:28:36 +0000 (+0000)
Subject: cls_u32: signedness bug
X-Git-Tag: v3.0~3155^2~24
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4e18b3edf71f5d4ad653e3c2ff6560878e965f96;p=platform%2Fkernel%2Flinux-amlogic.git

cls_u32: signedness bug

skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also
unsigned and can't be less than zero.  This test was added in 66d50d25:
"u32: negative offset fix"  It was supposed to fix a regression.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 7416a5c..b0c2a82 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -137,7 +137,7 @@ next_knode:
 			int toff = off + key->off + (off2 & key->offmask);
 			__be32 *data, _data;
 
-			if (skb_headroom(skb) + toff < 0)
+			if (skb_headroom(skb) + toff > INT_MAX)
 				goto out;
 
 			data = skb_header_pointer(skb, toff, 4, &_data);