Hi Dan, On 27. May 2024, at 12:38, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > Also this check isn't great: > > if (dev->policy_sz < header->length + 512) > > header->length is a u32 that comes from the user, so the addition can > overflow. I can't immediately see how to exploit this though since we > don't seem to use header->length after this (by itself). How about if (header->length > U32_MAX - 512 || dev->policy_sz < header->length + 512) return -EINVAL; to prevent a possible overflow? header->length is used in the next line dev->policy_sz = header->length + 512; and if the addition overflows, we end up setting dev->policy_sz to an invalid value. Thanks, Thorsten
