Re: [PATCH] dlm: check negative length in dlm_search_rsb_tree

Next message: Jonathan Corbet: "Re: [PATCH] dm: fix dm-inlinecrypt docs warnings"
Previous message: Christian Brauner: "Re: [PATCH RFC 2/5] dma-heap: charge dma-buf memory via explicit memcg"
In reply to: Joseph Qi: "[PATCH] dlm: check negative length in dlm_search_rsb_tree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alexander Aring

Date: Fri May 15 2026 - 10:03:11 EST

Hi,

On Fri, May 15, 2026 at 3:39 AM Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
>
> commit 080e5563f878 only checks for len > DLM_RESNAME_MAXLEN, which does
> not catch negative values. While the input 'len' can be negative and a
> negative int passed to memcpy() is implicitly converted to a large
> size_t, causing a stack buffer overflow on the key[] array.
>
> Fix this by also rejecting len <= 0.

or change the parameter to unsigned?

- Alex