From 298bf12ddb25841804f26234a43b89da1b1c0e21 Mon Sep 17 00:00:00 2001 From: Sascha Hlusiak Date: Tue, 29 Sep 2009 11:27:05 +0000 Subject: sit: fix off-by-one in ipip6_tunnel_get_prl When requesting all prl entries (kprl.addr == INADDR_ANY) and there are more prl entries than there is space passed from userspace, the existing code would always copy cmax+1 entries, which is more than can be handled. This patch makes the kernel copy only exactly cmax entries. Signed-off-by: Sascha Hlusiak Acked-By: Fred L. Templin Signed-off-by: David S. Miller --- net/ipv6/sit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index d65e0c4..dbd19a7 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -274,7 +274,7 @@ static int ipip6_tunnel_get_prl(struct ip_tunnel *t, c = 0; for (prl = t->prl; prl; prl = prl->next) { - if (c > cmax) + if (c >= cmax) break; if (kprl.addr != htonl(INADDR_ANY) && prl->addr != kprl.addr) continue; -- cgit v1.1