The pattern malloc(size + constant) is dangerous when size can be
manipulated by an attacker. In that case 'size' can be manipulated
in a way that 'size + constant' is 0 due to integer overflow. The
result is a zero sized buffer to which is then data written to.
Avoid this by using size_add() instead.
Reported-by: Jonathan Bar Or <jonathanbaror@xxxxxxxxx>
Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
fs/ext4/ext_barebox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/ext_barebox.c b/fs/ext4/ext_barebox.c
index 163c4d2fe1..7480c045d7 100644
--- a/fs/ext4/ext_barebox.c
+++ b/fs/ext4/ext_barebox.c
@@ -189,7 +189,7 @@ static const char *ext_get_link(struct dentry *dentry, struct inode *inode)
BUG_ON(inode->i_link);
- inode->i_link = zalloc(inode->i_size + 1);
+ inode->i_link = zalloc(size_add(inode->i_size, 1));
ret = ext4fs_read_file(node, 0, inode->i_size, inode->i_link);
if (ret == 0) {
--
2.39.5
