[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220531213500.521ef5cc@kernel.org>
Date: Tue, 31 May 2022 21:35:00 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Wang Yufen <wangyufen@...wei.com>
Cc: <davem@...emloft.net>, <yoshfuji@...ux-ipv6.org>,
<dsahern@...nel.org>, <edumazet@...gle.com>, <pabeni@...hat.com>,
<ast@...nel.org>, <daniel@...earbox.net>, <andrii@...nel.org>,
<kafai@...com>, <songliubraving@...com>, <yhs@...com>,
<john.fastabend@...il.com>, <kpsingh@...nel.org>,
<netdev@...r.kernel.org>, <bpf@...r.kernel.org>
Subject: Re: [PATCH net-next v3] ipv6: Fix signed integer overflow in
__ip6_append_data
On Sat, 28 May 2022 10:23:12 +0800 Wang Yufen wrote:
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 55afd7f39c04..91704bbc7715 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -1308,7 +1308,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> struct ipcm6_cookie ipc6;
> int addr_len = msg->msg_namelen;
> bool connected = false;
> - int ulen = len;
> + size_t ulen = len;
> int corkreq = READ_ONCE(up->corkflag) || msg->msg_flags&MSG_MORE;
> int err;
> int is_udplite = IS_UDPLITE(sk);
No need to change ulen neither, it will not overflow and will be
promoted to size_t when passed to ip6_append_data() / ip6_make_skb().
Powered by blists - more mailing lists