This is a note to let you know that I've just added the patch titled tipc: fix a bit overflow in tipc_crypto_key_rcv() to the 5.16-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: tipc-fix-a-bit-overflow-in-tipc_crypto_key_rcv.patch and it can be found in the queue-5.16 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 256b368c5f0cd5e93d575129dfe605c7bf1ed90c Author: Hangyu Hua <hbh25y@xxxxxxxxx> Date: Fri Feb 11 12:55:10 2022 +0800 tipc: fix a bit overflow in tipc_crypto_key_rcv() [ Upstream commit 143de8d97d79316590475dc2a84513c63c863ddf ] msg_data_sz return a 32bit value, but size is 16bit. This may lead to a bit overflow. Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c index d293614d5fc65..b5074957e8812 100644 --- a/net/tipc/crypto.c +++ b/net/tipc/crypto.c @@ -2287,7 +2287,7 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr) struct tipc_crypto *tx = tipc_net(rx->net)->crypto_tx; struct tipc_aead_key *skey = NULL; u16 key_gen = msg_key_gen(hdr); - u16 size = msg_data_sz(hdr); + u32 size = msg_data_sz(hdr); u8 *data = msg_data(hdr); unsigned int keylen;