diff options
| author | Dan Carpenter <dan.carpenter@linaro.org> | 2025-09-30 15:38:09 +0300 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2025-10-06 22:27:28 -0400 |
| commit | 120642726ecb1b7a266f5c21bec90821e1154509 (patch) | |
| tree | efc44c86abc85462f080f44b96a243b475539b4e | |
| parent | 987da233b2982c686a8ea5cd4c76f0bd5e957ee3 (diff) | |
scsi: libfc: Prevent integer overflow in fc_fcp_recv_data()
The "offset" comes from the skb->data that we received. Here the code
is verifying that "offset + len" is within bounds however it does not
take integer overflows into account. Use size_add() to be safe.
This would only be an issue on 32bit systems which are probably a very
small percent of the users. Still, it's worth fixing just for
correctness sake.
Fixes: 42e9a92fe6a9 ("[SCSI] libfc: A modular Fibre Channel library")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Message-Id: <aNvPMet7TPtM9CY1@stanley.mountain>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
| -rw-r--r-- | drivers/scsi/libfc/fc_fcp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/libfc/fc_fcp.c b/drivers/scsi/libfc/fc_fcp.c index 16d0f02af1e4..31d08c115521 100644 --- a/drivers/scsi/libfc/fc_fcp.c +++ b/drivers/scsi/libfc/fc_fcp.c @@ -503,7 +503,7 @@ static void fc_fcp_recv_data(struct fc_fcp_pkt *fsp, struct fc_frame *fp) host_bcode = FC_ERROR; goto err; } - if (offset + len > fsp->data_len) { + if (size_add(offset, len) > fsp->data_len) { /* this should never happen */ if ((fr_flags(fp) & FCPHF_CRC_UNCHECKED) && fc_frame_crc_check(fp)) |