Re: [PATCH net] nfc: llcp: avoid userspace overflow on invalid optlen

Next message: Chun-Tse Shao: "[PATCH 0/2] perf stat: Fix uncore metric scaling across aggregation modes"
Previous message: Jacob Pan: "Re: [PATCH v5 7/9] vfio: Enable cdev noiommu mode under iommufd"
In reply to: Simon Horman: "Re: [PATCH net] nfc: llcp: avoid userspace overflow on invalid optlen"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Breno Leitao

Date: Wed May 20 2026 - 14:21:48 EST

On Mon, May 18, 2026 at 10:11:04AM +0100, Simon Horman wrote:

> > @@ -319,6 +319,9 @@ static int nfc_llcp_getsockopt(struct socket *sock, int level, int optname,
> > if (get_user(len, optlen))
> > return -EFAULT;
> >
> > + if (len < sizeof(u32))
> > + return -EINVAL;
>
> Since len is a signed int and sizeof(u32) is an unsigned size_t, does C
> integer promotion cause negative lengths to bypass this check?

Good catch, you're right. `len` is `int` and might get promoted to unsigned in the
comparison, so optlen = -1 becomes a huge value and slips past the check, then
min_t(u32, ...) clamps it back to 4 and the overflow happens anyway.

I'll fix this in v2 by casting:

if (len < (int)sizeof(u32))
return -EINVAL;