mirror of https://github.com/torvalds/linux.git
80b78c39eb
The get->num_services variable is an unsigned int which is controlled by
the user. The struct_size() function ensures that the size calculation
does not overflow an unsigned long, however, we are saving the result to
an int so the calculation can overflow.
Both "len" and "get->num_services" come from the user. This check is
just a sanity check to help the user and ensure they are using the API
correctly. An integer overflow here is not a big deal. This has no
security impact.
Save the result from struct_size() type size_t to fix this integer
overflow bug.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| ip_vs_app.c | ||
| ip_vs_conn.c | ||
| ip_vs_core.c | ||
| ip_vs_ctl.c | ||
| ip_vs_dh.c | ||
| ip_vs_est.c | ||
| ip_vs_fo.c | ||
| ip_vs_ftp.c | ||
| ip_vs_lblc.c | ||
| ip_vs_lblcr.c | ||
| ip_vs_lc.c | ||
| ip_vs_mh.c | ||
| ip_vs_nfct.c | ||
| ip_vs_nq.c | ||
| ip_vs_ovf.c | ||
| ip_vs_pe.c | ||
| ip_vs_pe_sip.c | ||
| ip_vs_proto.c | ||
| ip_vs_proto_ah_esp.c | ||
| ip_vs_proto_sctp.c | ||
| ip_vs_proto_tcp.c | ||
| ip_vs_proto_udp.c | ||
| ip_vs_rr.c | ||
| ip_vs_sched.c | ||
| ip_vs_sed.c | ||
| ip_vs_sh.c | ||
| ip_vs_sync.c | ||
| ip_vs_twos.c | ||
| ip_vs_wlc.c | ||
| ip_vs_wrr.c | ||
| ip_vs_xmit.c | ||