[PATCH 1/5] accel/qaic: tighten bounds checking in encode_message()
Dan Carpenter
dan.carpenter at linaro.org
Thu Jun 22 11:54:08 UTC 2023
On Thu, Jun 22, 2023 at 02:43:57PM +0300, Dan Carpenter wrote:
> > > - if (!user_msg->count) {
> > > + if (!user_msg->count ||
> > > + user_msg->len < sizeof(*trans_hdr)) {
> > Can we have something like this here
> > user_msg->len < sizeof(*trans_hdr) * user_msg->count, no?
>
> This check was just to ensure that we have space for one header so that
> the "user_msg->len - sizeof(*trans_hdr)" subtraction doesn't overflow.
> We're going to need to check that we have space for each header later
> anyway. Can the multiply fail (on 32bit)?
s/fail/integer overflow/. Obviously failure is not an option when it
comes to multiplies.
regards,
dan carpenter
More information about the dri-devel
mailing list