On Wed, Jan 26, 2022 at 01:54:04PM +0300, Dan Carpenter wrote: > On Mon, Jan 24, 2022 at 12:19:03PM -0800, Kees Cook wrote: > > This could still overflow if struct_size() returns SIZE_MAX. Perhaps: > > > > if (check_add_overflow(struct_size(request, ops, msg_count), > > data_out_size, &request_size)) > > request_size = SIZE_MAX; > > > > I should brush off the saturating arithmetic helpers series: > > https://lore.kernel.org/all/20210920180853.1825195-1-keescook@xxxxxxxxxxxx/ > > Yes, please! Those seem like a million times easier to use. Here they are! :) Please review: https://lore.kernel.org/lkml/20220124232342.3113350-1-keescook@xxxxxxxxxxxx/ Thanks! -- Kees Cook