This integer overflow check works as intended but Clang and GCC and warn
about it when compiling with W=1.
include/linux/sunrpc/xdr.h:539:17: error: comparison is always false
due to limited range of data type [-Werror=type-limits]
Use size_mul() to prevent the integer overflow. It silences the warning
and it's cleaner as well.
Reported-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
Closes: https://lore.kernel.org/all/20230601143332.255312-1-dmantipov@xxxxxxxxx/
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
Btw, since the Clang developers are automatically CC'd, here is how I
silenced this type of false positive in Smatch:
1) Check that longs are 64 bit.
2) Check that the right hand side has a SIZE_MAX. SIZE_MAX is defined
as -1UL so you want both the type and the value to match.
3) Then on the other the other side, check that the type is uint.
I'm looking at this code now in Smatch and it's kind of ugly, and also
there are some other places where I need to apply the same logic...
include/linux/sunrpc/xdr.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index f89ec4b5ea16..dbf7620a2853 100644
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -775,9 +775,7 @@ xdr_stream_decode_uint32_array(struct xdr_stream *xdr,
if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0))
return -EBADMSG;
- if (len > SIZE_MAX / sizeof(*p))
- return -EBADMSG;
- p = xdr_inline_decode(xdr, len * sizeof(*p));
+ p = xdr_inline_decode(xdr, size_mul(len, sizeof(*p)));
if (unlikely(!p))
return -EBADMSG;
if (array == NULL)
--
2.39.2
