The pattern malloc(size + constant) is dangerous when size can be
manipulated by an attacker. In that case 'size' can be manipulated
in a way that 'size + constant' is 0 due to integer overflow. The
result is a zero sized buffer to which is then data written to.
Avoid this by using size_add() instead.
Reported-by: Jonathan Bar Or <jonathanbaror@xxxxxxxxx>
Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
---
fs/cramfs/cramfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cramfs/cramfs.c b/fs/cramfs/cramfs.c
index e554ebef6f..641a6d2b05 100644
--- a/fs/cramfs/cramfs.c
+++ b/fs/cramfs/cramfs.c
@@ -423,7 +423,7 @@ static const char *cramfs_get_link(struct dentry *dentry, struct inode *inode)
{
int ret;
- inode->i_link = xzalloc(inode->i_size + 1);
+ inode->i_link = xzalloc(size_add(inode->i_size, 1));
ret = cramfs_read_file(inode, 0, inode->i_link, inode->i_size);
if (ret < 0)
--
2.39.5
