From: Breno Leitao <leitao@debian.org>
To: Simon Horman <horms@kernel.org>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, shuah@kernel.org, david+nfc@ixit.cz,
sameo@linux.intel.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, linux-kselftest@vger.kernel.org,
oe-linux-nfc@lists.linux.dev, kernel-team@meta.com
Subject: Re: [PATCH net] nfc: llcp: avoid userspace overflow on invalid optlen
Date: Wed, 20 May 2026 10:27:06 -0700 [thread overview]
Message-ID: <ag3uNJZ8uyn5jPry@gmail.com> (raw)
In-Reply-To: <20260518091103.427351-2-horms@kernel.org>
On Mon, May 18, 2026 at 10:11:04AM +0100, Simon Horman wrote:
> > @@ -319,6 +319,9 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
> > if (get_user(len, optlen))
> > return -EFAULT;
> >
> > + if (len < sizeof(u32))
> > + return -EINVAL;
>
> Since len is a signed int and sizeof(u32) is an unsigned size_t, does C
> integer promotion cause negative lengths to bypass this check?
Good catch, you're right. `len` is `int` and might get promoted to unsigned in the
comparison, so optlen = -1 becomes a huge value and slips past the check, then
min_t(u32, ...) clamps it back to 4 and the overflow happens anyway.
I'll fix this in v2 by casting:
if (len < (int)sizeof(u32))
return -EINVAL;
prev parent reply other threads:[~2026-05-20 17:27 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 10:57 [PATCH net] nfc: llcp: avoid userspace overflow on invalid optlen Breno Leitao
2026-05-18 9:11 ` Simon Horman
2026-05-20 17:27 ` Breno Leitao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ag3uNJZ8uyn5jPry@gmail.com \
--to=leitao@debian.org \
--cc=davem@davemloft.net \
--cc=david+nfc@ixit.cz \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kernel-team@meta.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oe-linux-nfc@lists.linux.dev \
--cc=pabeni@redhat.com \
--cc=sameo@linux.intel.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.