On Sat, Nov 30, 2024 at 01:01:37PM +0300, Dan Carpenter wrote: > The "gl->tot_len" variable is controlled by the user. It comes from > process_responses(). On 32bit systems, the "gl->tot_len + > sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition > could have an integer wrapping bug. Use size_add() to prevent this. > > Fixes: a08943947873 ("crypto: chtls - Register chtls with net tls") > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > This is from static analysis. I've spent some time reviewing this code > but I might be wrong. Applied to for-next I fixed the Fixes line: Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection") Thanks, Jason