> On Mar 15, 2022, at 11:34 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > On a 32 bit system, the "len * sizeof(*p)" operation can have an > integer overflow. > > c: stable@xxxxxxxxxxxxxxx > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Trond, this patch was To: me, but either you or I can take this. Please let me know your preference. > --- > v2: add stable to the CC. Use SIZE_MAX. > > include/linux/sunrpc/xdr.h | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h > index b519609af1d0..4417f667c757 100644 > --- a/include/linux/sunrpc/xdr.h > +++ b/include/linux/sunrpc/xdr.h > @@ -731,6 +731,8 @@ xdr_stream_decode_uint32_array(struct xdr_stream *xdr, > > if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0)) > return -EBADMSG; > + if (len > SIZE_MAX / sizeof(*p)) > + return -EBADMSG; > p = xdr_inline_decode(xdr, len * sizeof(*p)); > if (unlikely(!p)) > return -EBADMSG; > -- > 2.20.1 > -- Chuck Lever
