> @@ -757,7 +756,7 @@ struct ksmbd_rpc_command *ksmbd_rpc_ioctl(struct Hi Dan, > ksmbd_session *sess, int handle > struct ksmbd_rpc_command *req; > struct ksmbd_rpc_command *resp; > > - msg = ipc_msg_alloc(sizeof(struct ksmbd_rpc_command) + payload_sz + 1); > + msg = ipc_msg_alloc(size_add(sizeof(struct ksmbd_rpc_command) + 1, > payload_sz)); > if (!msg) > return NULL; There is a memcpy() below as follows. memcpy(req->payload, payload, payload_sz); Doesn't memcpy with payload_sz cause buffer overflow? Wouldn't it be better to handle integer overflows as an error? Thanks.
