Re: [PATCH] dlm: check negative length in dlm_search_rsb_tree

Next message: Alexei Starovoitov: "Re: [PATCH bpf-next v11 00/11] selftests/bpf: Tolerate partial builds across kernel configs"
Previous message: Abdurrahman Hussain: "Re: [PATCH] i2c: mux: reg: use device property accessors"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joseph Qi

Date: Sat May 16 2026 - 21:30:27 EST

On 5/15/26 9:30 PM, Alexander Aring wrote:
> Hi,
>
> On Fri, May 15, 2026 at 3:39 AM Joseph Qi <joseph.qi@xxxxxxxxxxxxxxxxx> wrote:
>>
>> commit 080e5563f878 only checks for len > DLM_RESNAME_MAXLEN, which does
>> not catch negative values. While the input 'len' can be negative and a
>> negative int passed to memcpy() is implicitly converted to a large
>> size_t, causing a stack buffer overflow on the key[] array.
>>
>> Fix this by also rejecting len <= 0.
>
> or change the parameter to unsigned?
>

Yes, it would be fine. I'll work on it and send v2 later.

Thanks,
Joseph