On Mon, Jan 24, 2022 at 12:19:03PM -0800, Kees Cook wrote:
This could still overflow if struct_size() returns SIZE_MAX. Perhaps:
if (check_add_overflow(struct_size(request, ops, msg_count), data_out_size, &request_size)) request_size = SIZE_MAX;
I should brush off the saturating arithmetic helpers series: https://lore.kernel.org/all/20210920180853.1825195-1-keescook@chromium.org/
Yes, please! Those seem like a million times easier to use.
regards, dan carpenter