Re: [PATCH] cxgb4: prevent potential integer overflow on 32bit

From: Dan Carpenter
Date: Tue Dec 10 2024 - 04:18:34 EST

Next message: Andrej Picej: "[PATCH v5 0/3] SN65DSI83/4 lvds_vod_swing properties"
Previous message: Vlastimil Babka: "Re: [PATCH v5 2/6] mm: move per-vma lock into vm_area_struct"
In reply to: Jason Gunthorpe: "Re: [PATCH] cxgb4: prevent potential integer overflow on 32bit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 09, 2024 at 02:55:56PM -0400, Jason Gunthorpe wrote:
> On Sat, Nov 30, 2024 at 01:01:37PM +0300, Dan Carpenter wrote:
> > The "gl->tot_len" variable is controlled by the user. It comes from
> > process_responses(). On 32bit systems, the "gl->tot_len +
> > sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition
> > could have an integer wrapping bug. Use size_add() to prevent this.
> >
> > Fixes: a08943947873 ("crypto: chtls - Register chtls with net tls")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> > ---
> > This is from static analysis. I've spent some time reviewing this code
> > but I might be wrong.
>
> Applied to for-next
>
> I fixed the Fixes line:
>
> Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection")

Aw crud. There are two implementations of copy_gl_to_skb_pkt() and I
only patched one. It's pretty weird how I mixed up the Fixes tags.
Anyway, I'll patch drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_main.c
as well.

regards,
dan carpenter

Next message: Andrej Picej: "[PATCH v5 0/3] SN65DSI83/4 lvds_vod_swing properties"
Previous message: Vlastimil Babka: "Re: [PATCH v5 2/6] mm: move per-vma lock into vm_area_struct"
In reply to: Jason Gunthorpe: "Re: [PATCH] cxgb4: prevent potential integer overflow on 32bit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]