On Tue, Oct 29, 2013 at 12:10 PM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > If "fibsize" is zero then it leads to a ZERO_SIZE_PTR dereference when > we dereference user_srbcmd. Btw, these "ZERO_SIZE_PTR dereference" issues aren't about ZERO_SIZE_PTR, they are about overrunning the allocations. The ZERO_SIZE_PTR pointer is a perfectly valid pointer and can be dereferenced just fine, as long as you stay within the allocation size. Think about it. So I really get the feeling that checking for a zero size is very wrong. If we can access the ZERO_SIZE_PTR, that means that we at some point don't check the size limits, and if that's true for the zero size, I don't see why that wouldn't be true for *other* sizes too.. I didn't check this particular case, and maybe zero really is special. But it's not clear at all why it should be. Can you explain why zero is special here, and why the buffer overrun cannot happen with size 1, for example? Because quite frankly, from what I can tell, testing against zero is absolutely *WRONG*. Any size less than the size of "struct user_aac_srb" would seem to be bogus. This has nothing to do with zero, or with ZERO_SIZE_PTR. Tell me why I'm wrong. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html