The "l + 3" addition can have integer overflow on 32 bit systems
when it is used in __xdr_inline_decode(). The overflowed value
would be zero and the check "nwords > xdr->nwords" would not work
as intended.
Fixes: ba8e452a4fe6 ("SUNRPC: Add a helper function xdr_inline_peek")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
include/linux/sunrpc/xdr.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index 2f8dc47f1eb0..585059f2afca 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -14,6 +14,7 @@
#include <linux/uio.h>
#include <asm/byteorder.h>
#include <asm/unaligned.h>
+#include <linux/overflow.h>
#include <linux/scatterlist.h>
struct bio_vec;
@@ -29,7 +30,7 @@ struct rpc_rqst;
/*
* Buffer adjustment
*/
-#define XDR_QUADLEN(l) (((l) + 3) >> 2)
+#define XDR_QUADLEN(l) (size_add(l, 3) >> 2)
/*
* Generic opaque `network object.'
--
2.43.0
