On Fri, 2023-06-30 at 12:46 +0300, Dan Carpenter wrote: > This integer overflow check works as intended but Clang and GCC and warn > about it when compiling with W=1. > > include/linux/sunrpc/xdr.h:539:17: error: comparison is always false > due to limited range of data type [-Werror=type-limits] > > Use size_mul() to prevent the integer overflow. It silences the warning > and it's cleaner as well. > > Reported-by: Dmitry Antipov <dmantipov@xxxxxxxxx> > Closes: https://lore.kernel.org/all/20230601143332.255312-1-dmantipov@xxxxxxxxx/ > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > Btw, since the Clang developers are automatically CC'd, here is how I > silenced this type of false positive in Smatch: > > 1) Check that longs are 64 bit. > 2) Check that the right hand side has a SIZE_MAX. SIZE_MAX is defined > as -1UL so you want both the type and the value to match. > 3) Then on the other the other side, check that the type is uint. > > I'm looking at this code now in Smatch and it's kind of ugly, and also > there are some other places where I need to apply the same logic... > > include/linux/sunrpc/xdr.h | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h > index f89ec4b5ea16..dbf7620a2853 100644 > --- a/include/linux/sunrpc/xdr.h > +++ b/include/linux/sunrpc/xdr.h > @@ -775,9 +775,7 @@ xdr_stream_decode_uint32_array(struct xdr_stream *xdr, > > if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0)) > return -EBADMSG; > - if (len > SIZE_MAX / sizeof(*p)) > - return -EBADMSG; > - p = xdr_inline_decode(xdr, len * sizeof(*p)); > + p = xdr_inline_decode(xdr, size_mul(len, sizeof(*p))); > if (unlikely(!p)) > return -EBADMSG; > if (array == NULL) Acked-by: Jeff Layton <jlayton@xxxxxxxxxx>
