On Mon, Dec 09, 2024 at 02:55:56PM -0400, Jason Gunthorpe wrote: > On Sat, Nov 30, 2024 at 01:01:37PM +0300, Dan Carpenter wrote: > > The "gl->tot_len" variable is controlled by the user. It comes from > > process_responses(). On 32bit systems, the "gl->tot_len + > > sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition > > could have an integer wrapping bug. Use size_add() to prevent this. > > > > Fixes: a08943947873 ("crypto: chtls - Register chtls with net tls") > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > --- > > This is from static analysis. I've spent some time reviewing this code > > but I might be wrong. > > Applied to for-next > > I fixed the Fixes line: > > Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection") Aw crud. There are two implementations of copy_gl_to_skb_pkt() and I only patched one. It's pretty weird how I mixed up the Fixes tags. Anyway, I'll patch drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c as well. regards, dan carpenter