diff options
| author | Dan Carpenter <[email protected]> | 2025-03-10 07:45:53 +0000 |
|---|---|---|
| committer | Pablo Neira Ayuso <[email protected]> | 2025-03-12 14:48:26 +0000 |
| commit | 80b78c39eb86e6b55f56363b709eb817527da5aa (patch) | |
| tree | a7e74dd37ffe080a2140ccf5e8ef2d56bb6aa9db /drivers/platform/x86/intel/hid.c | |
| parent | selftests: netfilter: skip br_netfilter queue tests if kernel is tainted (diff) | |
| download | kernel-80b78c39eb86e6b55f56363b709eb817527da5aa.tar.gz kernel-80b78c39eb86e6b55f56363b709eb817527da5aa.zip | |
ipvs: prevent integer overflow in do_ip_vs_get_ctl()
The get->num_services variable is an unsigned int which is controlled by
the user. The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.
Both "len" and "get->num_services" come from the user. This check is
just a sanity check to help the user and ensure they are using the API
correctly. An integer overflow here is not a big deal. This has no
security impact.
Save the result from struct_size() type size_t to fix this integer
overflow bug.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Dan Carpenter <[email protected]>
Acked-by: Julian Anastasov <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Diffstat (limited to 'drivers/platform/x86/intel/hid.c')
0 files changed, 0 insertions, 0 deletions