"k_tmp->len" and "total" are unsigned integers. The first message could be close to "bufsiz" (4096) and then the next message could be 4GB which would cause an integer overflow. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- I have not tested this. diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c index 830adbe..aab05e1 100644 --- a/drivers/spi/spidev.c +++ b/drivers/spi/spidev.c @@ -241,7 +241,7 @@ static int spidev_message(struct spidev_data *spidev, k_tmp->len = u_tmp->len; total += k_tmp->len; - if (total > bufsiz) { + if (total > bufsiz || total < k_tmp->len) { status = -EMSGSIZE; goto done; } -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html