From cc65f31250261a1ba777755109c2075dd4b7ba36 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Mon, 10 Oct 2022 02:28:22 +0200
Subject: packet: Fix off-by-one in packet_get_do() sanity checks

An n-sized pool, or a pool with n entries, doesn't include index n,
only up to n - 1.

I'm not entirely sure this sanity check actually covers any
practical case, but I spotted this while debugging a hang in
tap4_handler() (possibly due to malformed sequence entries from
qemu).

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
---
 packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packet.c b/packet.c
index 3f82e84..d1ff998 100644
--- a/packet.c
+++ b/packet.c
@@ -87,7 +87,7 @@ void packet_add_do(struct pool *p, size_t len, const char *start,
 void *packet_get_do(const struct pool *p, size_t index, size_t offset,
 		    size_t len, size_t *left, const char *func, int line)
 {
-	if (index > p->size || index > p->count) {
+	if (index >= p->size || index >= p->count) {
 		if (func) {
 			trace("packet %lu from pool size: %lu, count: %lu, "
 			      "%s:%i", index, p->size, p->count, func, line);
-- 
cgit v1.2.3