From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: potential integer overflow in xenbus_file_write()
Date: Thu, 13 Sep 2012 19:00:32 +0300
Message-ID: <20120913160032.GA29082@elgon.mountain>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <virtualization-bounces@lists.linux-foundation.org>
Content-Disposition: inline
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/virtualization>,
	<mailto:virtualization-request@lists.linux-foundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/virtualization/>
List-Post: <mailto:virtualization@lists.linux-foundation.org>
List-Help: <mailto:virtualization-request@lists.linux-foundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/virtualization>,
	<mailto:virtualization-request@lists.linux-foundation.org?subject=subscribe>
Sender: virtualization-bounces@lists.linux-foundation.org
Errors-To: virtualization-bounces@lists.linux-foundation.org
To: virtualization@lists.linux-foundation.org
List-Id: virtualization@lists.linuxfoundation.org

Hi,

I was reading some code and had a question in xenbus_file_write()

drivers/xen/xenbus/xenbus_dev_frontend.c
   461          if ((len + u->len) > sizeof(u->u.buffer)) {
                     ^^^^^^^^^^^^
Can this addition overflow?  Should the test be something like:

	if (len > sizeof(u->u.buffer) || len + u->len > sizeof(u->u.buffer)) {

   462                  /* On error, dump existing buffer */
   463                  u->len = 0;
   464                  rc = -EINVAL;
   465                  goto out;
   466          }
   467  
   468          ret = copy_from_user(u->u.buffer + u->len, ubuf, len);
   469  

regards,
dan carpenter