Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()

From: Jakub Kicinski
Date: Wed Jan 22 2025 - 09:24:39 EST

Next message: Peter Zijlstra: "Re: [PATCH v4 30/39] unwind_user/deferred: Make unwind deferral requests NMI-safe"
Previous message: Danilo Krummrich: "Re: [PATCH] rust: io: move offset_valid and io_addr(_assert) to IoRaw"
In reply to: Dan Carpenter: "Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()"
Next in thread: Simon Horman: "Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 22 Jan 2025 16:49:17 +0300 Dan Carpenter wrote:
> The "payload" variable is type size_t, however the nlmsg_total_size()
> function will a few bytes to it and then truncate the result to type
> int. That means that if "payload" is more than UINT_MAX the alloc_skb()
> function might allocate a buffer which is smaller than intended.

Is there a bug, or is this theoretical?

Next message: Peter Zijlstra: "Re: [PATCH v4 30/39] unwind_user/deferred: Make unwind deferral requests NMI-safe"
Previous message: Danilo Krummrich: "Re: [PATCH] rust: io: move offset_valid and io_addr(_assert) to IoRaw"
In reply to: Dan Carpenter: "Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()"
Next in thread: Simon Horman: "Re: [PATCH net] net: netlink: prevent potential integer overflow in nlmsg_new()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]