On Tue, Mar 11, 2025 at 07:50:44PM +0200, Julian Anastasov wrote:
Hello,
On Mon, 10 Mar 2025, Dan Carpenter wrote:
quoted
The get->num_services variable is an unsigned int which is controlled by
the user. The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.
Both "len" and "get->num_services" come from the user. This check is
just a sanity check to help the user and ensure they are using the API
correctly. An integer overflow here is not a big deal. This has no
security impact.
Save the result from struct_size() type size_t to fix this integer
overflow bug.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <redacted>
Looks good to me, thanks!
Acked-by: Julian Anastasov <ja@ssi.bg>
Pablo, you can apply it to the nf tree.
Done, thanks Julian.