On Fri, Sep 15, 2023 at 12:17:49PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the
> protection that struct_size() adds against potential integer overflows
> is defeated. Fix this by hardening call to struct_size() with size_add().
>
> Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array
> member")
> Signed-off-by: Gustavo A. R. Silva <[email protected]>
Thanks, yes, this will maintain SIZE_MAX saturation if it happens.
Reviewed-by: Kees Cook <[email protected]>
--
Kees Cook
